Now that SSH is mentioned, change the port away from the standard 22 to something non-standard, somewhere beyond 10000 for example. Stops your server getting blasted with login attempts. And helps Fail2Ban by not having to deal with it.
@TomBoB
Again, this is an idea - but the idea is
flawed in many ways.
First of all, just using a high port number is not a solution - it can even become a problem, since the higher port numbers are often used for different purposes.
Second and
in general, using a
different port number might be effective from a perspective that
only looks at the port that is attacked
most - a script kiddie would indeed use the default SSH port, but any advanced hacker will do a port scan and
target the effective port used by SSH : so, a
different port number does
not resolve anything.
A small note : most people with other than default SSH ports often tend to forget to restructure the entire system, leading to a situation in which the system is still
insecure - for instance, when changing the SSH port, one still has to change the Fail2Ban (and many other) settings (and forgetting to do so would imply that the sysadmin is being "blind" for any hack attempt, which is even worse than the situation in which one uses default ports).
Third, there are many options to make SSH more secure, from very simple and basic to more advanced, like
port knocking.
Nevertheless, anything different than default SSH settings is quite a
fuzz, if
- one considers the fact that is not always about (secure) SSH settings, but more about (secure)
access to SSH,
- specific
basic access restrictions are just as good or even better then complex options to secure SSH,
- specific changes in SSH settings or settings to access SSH makes the sysadmin effectively "blind" for what actually happens in the system,
- specific changes in SSH settings should also be reflected in many other settings within the system,
- and so on
and all of the above is simply the equivalent of saying "the more complex the solution, the more the sysadmin has to change
and maintain on the
entire system".
Simply stated, improvements in SSH are not a stand-alone improvement : they should be accompanied by other improvements in settings and config.
Fourth and a bit explanatory of the term "blind" used before, any hack attempt on SSH
should be visible, but not succesful.
Increasing the level of SSH security by fiddling with SSH or SSH related settings is not always the best idea : one should want to know the basic information - such as the offending IP - in order to take
appropriate action on all levels - such as blocking the IP for access to the FTP server, database server and so on.
Really, SSH access obtained by a hacker is not the biggest nightmare of a sysadmin - it is only one of the many big nightmares.
Fifth and
in conclusion, I would
recommend to
-
block all traffic to SSH port(s), with the exception of traffic originating from the IPs of the sysadmin(s), (and)
- if possible,
use SSH keys
and that is a clean, simple and
very effective solution, involving a small amount of work
and maintenance.
Sure, that is a recommendation for the case that a sysadmin manages one or a couple of servers - in all other cases I would recommend something different.
Anyway, I hope the above helps a bit.....
Regards...........
Facebook
Twitter
