On Tue, Nov 18, 2014 at 10:09:37AM -0500, Libertas wrote:
Hi, everyone. Linked below is a list of relays that were live last night along with the SSH authentication methods they support:
[snip]
Generally, it is far more secure to allow only public key auth.
This is great advice, and thanks for doing this scan! But I have one question about another piece of advice:
- SSH being served on a non-standard port - something other than port
- This is a good idea, as many brute-force attackers will only
bother trying port 22.
I don't understand why, for a system that has gotten any security review at all, moving ssh to another port is "a good idea".
If your ssh config is secure against password brute forcing, then it simply doesn't matter that botnets are crashing against the gate, and "change your port" or "run fail2ban" seem pointless. The only difference is the amount of logspew that is generated.
If your ssh config is insecure (PasswordAuthentication Yes and you have a bruteforceable password) then moving to another port, or running fail2ban, does not help the situation much against any determined attacker; the real attackers have millions of compromised hosts to bruteforce from (or entire ASes to spoof from), and if your config is sufficiently insecure that root/b4mb1 is going to work, you're not likely to install fail2ban *either*.
So for my systems, I set passwords to be [a-zA-Z0-9]{10} from urandom, and I generally (but not always) turn off PasswordAuthentication, and I keep sshd up-to-date, but I don't change from port 22 nor do I ever run fail2ban.
-andy