[CentOS] Running SSH on a different port

Tue Oct 27 14:56:22 UTC 2009
Ryan Lynch <ryan.b.lynch at gmail.com>

On Mon, Oct 26, 2009 at 23:54, David Suhendrik <david at pnyet.web.id> wrote:
> Need more secure only allow access ssh from intranet or by VPN.
> CMIIW

Not a bad suggestion. It's somewhat more heavyweight and restrictive,
but if you're paranoid enough to worry about 0-day OpenSSH server
exploits, this could help you sleep better at night.

This is an interesting judgement to consider. Personally, I don't
generally consider the extra VPN layer to be a default requirement.
Most VPNs clients require admin-level privs, and some kind of
pre-connection setup process (install client software, distribute
certs/keys, etc.), either of which could prevent legit users from
connecting in certain common circumstances, like an Internet cafe or a
borrowed machine.

I think it's good to ask yourself whether the risks really justify the
loss of functionality: If your current security concern is dictionary
bots, I don't think you'd need to bother with a VPN, because the bot
attacks aren't usually probing for unpatched exploits, they're just
guessing common login creds.

(Actually, I could be wrong about that last one--if anyone has
profiled SSH bot traffic recently, I'd be interested in knowing how
much of it [if any] is exploits vs. login guessing.)

-Ryan