[CentOS] google cloud compute with PEM file
billings at negate.org
Wed May 18 17:02:13 UTC 2016
On Wed, May 18, 2016 at 03:25:11AM +0100, Always Learning wrote:
> On Tue, 2016-05-17 at 20:12 -0400, Jonathan Billings wrote:
> > If you’re going to change the port, change it to something <1024. You don’t want to have sshd running on a port that a non-root user can bind to.
> But if, as I suggested, the enquirer restricts access to that port to
> his own IP, access attempts from other IPs will fail. Ports > 1024 can
> be accessed by authorised non-root users using the authorised
> originating IP whilst preventing access from all other IPs.
That's not the point. If you bind to a port > 1024, then if your
non root account is compromised (or some other non-root account), then
it can start up a trojaned sshd on that port.
As others have said, might as well keep it on port 22, and just block
connections from any network but what you trust. Make sure you
keep your packages up to date and run SELinux enabled.
Jonathan Billings <billings at negate.org>
More information about the CentOS