On Fri, Sep 11, 2015 at 6:51 AM, Stephen Chrzanowski <pontiac76 at gmail.com> wrote:
> You'd be surprised by what is out there trying to get into your system. > > I had port 22 open on my home router to go to a Linux machine so I could > SSH into my home network from anywhere in the world, even though I rarely > ever leave the 519 area code. One day I went to look at my messages log > file and noted numerous brute force attempts to get into my machine. > Fortunately, the machine is setup so that you can't SSH in as root, and the > single login name that has any kind of access root capable access is > intentionally camel cased to thwart name dictionary attacks. The attacks > were automated at their end, obviously, but if you have a machine exposed, > someone is going to have software that will do anything and everything to > gain access through whatever weakest link you have. > ?I do the same! With two modifications. I don't use port 22. I use an "ephemeral" port (above 1024)? which most attack software doesn't even try. This is easy to accomplish either by making SSH listen on another port, or by having the WAN connected router redirect the port from "nnnn" on the "outside" to port 22 on the "inside". Also, I _only_ use a digital certificate for SSH. I don't allow use of passwords at all. -- Schrodinger's backup: The condition of any backup is unknown until a restore is attempted. Yoda of Borg, we are. Futile, resistance is, yes. Assimilated, you will be. He's about as useful as a wax frying pan. 10 to the 12th power microphones = 1 Megaphone Maranatha! <>< John McKown
