[CentOS] OT: closing a port on home router

Wed Sep 23 19:27:03 UTC 2015
Paul Heinlein <heinlein at madboa.com>

On Wed, 23 Sep 2015, James B. Byrne wrote:

> Moving the port by itself still opens a functioning connection to 
> the internet on a service that is inherently susceptible to brute 
> force and rainbow attacks.  The 'dangerous' people on the Internet 
> will find this port in a heartbeat and they are far more worrisome 
> than the script-kiddies.  Since you absolutely must build a defence 
> against these opponents anyway then you might as well leave the 
> service on the default port to avoid screwing up legitimate users 
> expectations.

Without disagreeing with the underlying assessment that SSH should be 
configured securely regardless of the port to which it's bound, my 
empirical findings are that few find the alternate port, and they 
certainly don't do it "in a heartbeat."

In fact, rooting out casual ssh port scans gives you a much better 
sense of who the 'dangerous' people really are. When you see failed 
logins in /var/log/secure, you're less likely to write them off as the 
price of being on the Internet and more likely to see them as a real 
threat.

Legitmate users aren't really an issue. If you give them access, then 
it's easy to tell them they need a stanza in ~/.ssh/config:

Host *.mydomain
   Port NNNN
   [... etc ...]

Again, this isn't a workaround for a sloppy ssh configuration, but I 
do think it has some value.

-- 
Paul Heinlein
heinlein at madboa.com
45°38' N, 122°6' W