On Tue, Jul 22, 2008 at 10:16:44AM -0500, David Dyer-Bennet wrote: > On Tue, July 22, 2008 09:34, Rudi Ahlers wrote: > > > By changing the ports on all our servers to a high (above 1024) port, we > > have eliminated SSH scans altogether - been running like that for a few > > years now without any problems. > ..... > > On the other hand, why are people so worried about SSH scans? I'm worried > about who actually gets in, not who connects to the port. Strong password > quality enforcement, or maybe requiring public-key authentication, seem > like a more useful response. For me it is signal to noise ratio. The longer the password file (valid users) the longer the list of connections and corresponding events (good and bad) that needs to be watched. Switching to another port with a large user community requires that the entire community be informed, configured and supported. I like 'denyhosts' as a tool to limit these attacks, other good solutions also exist. Most distros now have 'denyhosts' as a prebuilt RPM which is a plus IMO (+). As others remarked disable root logins. Manage the 'su, sudo' list with care and populate the illegal user list agressivly based on the attack list observed in the logs. Users with su, sudo privledge should be limited to those that use sshkey login and understand what a strong pass word is. Later, mitch (+) a prebuilt RPM does present the issue that any flaw in the prebuilt can be widely exploited. As such updates should be watched for, tested and deployed promptly. -- T o m M i t c h e l l Looking for a place to hang my hat :-(