[CentOS] Running SSH on a different port
Ryan Lynch
ryan.b.lynch at gmail.com
Tue Oct 27 14:56:22 UTC 2009
On Mon, Oct 26, 2009 at 23:54, David Suhendrik <david at pnyet.web.id> wrote:
> Need more secure only allow access ssh from intranet or by VPN.
> CMIIW
Not a bad suggestion. It's somewhat more heavyweight and restrictive,
but if you're paranoid enough to worry about 0-day OpenSSH server
exploits, this could help you sleep better at night.
This is an interesting judgement to consider. Personally, I don't
generally consider the extra VPN layer to be a default requirement.
Most VPNs clients require admin-level privs, and some kind of
pre-connection setup process (install client software, distribute
certs/keys, etc.), either of which could prevent legit users from
connecting in certain common circumstances, like an Internet cafe or a
borrowed machine.
I think it's good to ask yourself whether the risks really justify the
loss of functionality: If your current security concern is dictionary
bots, I don't think you'd need to bother with a VPN, because the bot
attacks aren't usually probing for unpatched exploits, they're just
guessing common login creds.
(Actually, I could be wrong about that last one--if anyone has
profiled SSH bot traffic recently, I'd be interested in knowing how
much of it [if any] is exploits vs. login guessing.)
-Ryan
More information about the CentOS
mailing list