Owen Densmore wrote circa 10-11-22 09:10 PM:
> I had heard that port scans were *very* fast to occur so it was with
> a LOT of trepidation that I opened port 22, ssh, for use through my
> firewall to my home server.
> [...]
> I disabled ssh password authentication, using public/private keys only. This seems safe, but who knows .. the config file is a bit hard to understand, I used:
> PasswordAuthentication no
> ChallengeResponseAuthentication no
> UsePAM no
I also recommend:
PermitRootLogin forced-commands-only
This will allow you to PKA in as root for explicit things like rsync,
but not a login shell. Of course, if you don't want any root PKA
access, then set it to "no" if it's not already set that way.
> Security experts: is it reasonably safe to open the firewall port 22
> if only key access is allowed?
I'm no expert; but yes, it's reasonable. However, accept the fact that
you'll waste some bandwidth on the scanners. To limit that, I recommend
something like DenyHosts:
http://denyhosts.sourceforge.net/> I know some folks move the port to 24 or some other to obscure the
> port usage, but I didn't see that as important .. but am I wrong, and
> it *is* a good idea to move the ssh port? I believe the 'bots are
> pretty agile.
It is a good idea. It's like locking your car. It won't keep out the
serious criminals; but it keeps out the random people just looking to
rifle through your car to see what they can find. Plus it helps keep
your log (and hosts.deny) files smaller. I have ~700 entries in my
/etc/hosts.deny file. [sigh]
Having said all that, though, I usually don't change the port.
--
glen e. p. ropella, 971-222-9095,
http://tempusdictum.com============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
lectures, archives, unsubscribe, maps at
http://www.friam.org
Locked
