Edward Ned Harvey wrote: >> You need sshd on a standard port for your *users* to be able to use it. >> > > I'll partially agree. I wouldn't expect my users to know how to specify a > port - however - anybody who doesn't know - can easily be helped in advance > by creating a PuTTY profile or shortcut on the desktop. So there is a > possible solution there. And also most users that use ssh are techies who > can handle something like specifying a port in PuTTY. > > > >> Hiding ssh on a strange port doesn't really add much protection. >> > > Totally agreed. The purpose for putting sshd on a nonstandard port is not > for the sake of protection. It's for the sake of avoiding network or > processor congestion caused by brute force attacks. When I have port 22 > open to the internet, there have been times where I notice actual slowdown > on the *local console* because the system is so busy getting hammered. >
I'd argue that moving the port causes more pain than it prevents. $WORK has several such gateways without significant issues, although I would need to talk to the gateway maintainers to find out how they avoid the load from brute force attacks. I can certainly do this if the LOPSA crowd is interested. The ssh gateways tend to be enough of a pain to support that using nonstandard ports is not considered a useful measure here. We do probably have significant hardware resources in front of the ssh gateways to help them out (because $WORK likes to build hardware ;-). - Richard _______________________________________________ Tech mailing list [email protected] http://lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
