OT (way ot, port numbers, security, and other things)

[Alex Neuman van der Hans]

Matt Kettler wrote:
> Since the hand-scanning folks will find your SSH port quickly, you've gained
> nothing in security. These are the most dangerous sorts anyway, so in terms of
> security you've failed to provide any defense against the more important case.
> However, you will have picked up a non-security related benefit: Bandwidth and
> CPU savings.
>
> The worm won't find your SSH port. It is trying to spread fast, so it's going to
> focus on the well-known port. Thus you won't be wasting CPU and network
> bandwidth answering the thousands of connection requests generated by worms.
>
> There are some instances where moving a port can provide some benefit. But do be
> realistic about it, and don't ever fool yourself into thinking this improves
> security at your site. BB is right. It doesn't, and it will only take a decent
> attacker a few seconds to figure out.
>
> You also gain a forensic benefit. By forcing the attacker to do a broad
> port-scan, you are making their presence much easier to log on your IDS.
>
> But neither of these will help you if your SSH isn't patched for our fictitious
> vulnerability. The attacker will find it and root your box in short order.
>
>   
I've been hammered by so many scripts I make it mandatory for all my 
clients to change the SSH port to something else. There's absolutely *no 
need* for it to be the standard, and although as Matt clearly stated it, 
there is absolutely *no* additional security gained by doing so, it's 
kept a lot of the worms/script kiddies out of our collective hair for 
some time.

There's that, and changing standard ports for other administrative 
services like Webmin on 10000 which also helps. Adding firewall rules to 
only allow from certain trusted IP addresses or "only listening to local 
interfaces" so that you *must* start a VPN connection first are also 
other steps you can take.