[CentOS] Securing SSH wiki article outdated

Fri Feb 13 16:21:15 UTC 2015
m.roth at 5-cent.us <m.roth at 5-cent.us>

Always Learning wrote:
>
> On Fri, 2015-02-13 at 09:46 -0500, Lamar Owen wrote:
>
>> On 02/13/2015 09:15 AM, Chris Adams wrote:
>> > Yeah, the old "move stuff to alternate ports" thing is largely a waste
>> > of time and just makes it more difficult for legitimate use. With
>> > large bot networks and tools like zmap, finding services on alternate
>> > ports is not that hard for the "bad guys".
>
>> Having SSH on 22 is lower-hanging fruit than having SSH on a different
>> port.  Sure, an NBA all-star will be able to reach the apples at the top
>> of the tree easily, but most people are not NBA all-stars.  Most
>> port-scanners do not scan all possible ports.
>>
>> And I am fully aware that people in the 'it's a waste of time' camp are
>> unmoved by that.  It's not worth arguing about; those who move to
>> non-standard ports are going to want to do it anyway.
>
> Lamar's comments are very sensible.
>
> I always change the SSH port to something conspicuously different. Every
> server has a different and difficult to guess SSH port number with
> access restricted to a few IP addresses.
<snip>
I disagree - I am in the "waste of time" camp. The reality is that only
script kiddies start out by trying 22 (and I *do* mean script kiddies -
I've seen attempts to ssh in that were obviously from warez, man, where
they were too stupid to fill in ___ with a username, or salt. All the
others, I figure they don't need to be major league, just someone with a
clue, who'll run a scan; in fact, I'd expect them to run a scan just to
see what IPs were visible, and I know that if I was writing a scan, I
don't assume that I'm *so* brilliant that I'm the only one to think of
scanning ports < 1k while looking for systems that I might hit.

        mark