[NBLUG/talk] I'm getting ssh scanned! Should I be worried?

E Frank Ball frankb at frankb.us
Mon Oct 4 17:54:41 PDT 2004 

On Mon, Oct 04, 2004 at 05:03:53PM -0700, Dave Sisley wrote:
} > If possible in sshd_config:
} > 
} > # To disable tunneled clear text passwords, change to no here!
} > PasswordAuthentication no
} > 
} > This will only allow logins using a ssh key pair, and is much more
} > secure than using passwords. 
} 
} Correct me if I'm wrong, but this has to be set up in advance between
} the 2 machines, right?  In other words, it would preclude me from
} logging into my home machine from my friends house unless I've
} generated a key on his machine and told my home machine to watch for
} it.


If I'm using my laptop it has my sshkey.
Or carry a floppy or USB memory with your ssh key.


} > Also restrict who can login from where:
} > 
} > AllowUsers user1 at 192.168.1.*, user1 at 192.25.*, root at 192.168.1.*
} > 
} > This is much more specific than you can do in hosts.allow.
} > If you only login from the JC you can restrict it to their subnets.
}  
} 
} I'm a bit confused by the syntax, though. I'm assuming that 'user1' is
} the user name on the remote machine into which I want to log?  and the
} partial IP address - is that also the remote machine? or the machine
} from which I am calling? (Forgive me if that makes no sense - when I
} get a minute, I will also try reading the man page...).


user1 is the username you are logging is as on your home machine (I
think, I'm usually using the same name at both ends).  The IP address is
the remote machine's IP address.

192.25.* is Agilent's outgoing ssh proxy so that I can ssh in from work.


} > Also you can run ssh on a non-standard port number.  I do and nobody
} > seems to have found it yet.  This isn't an excuse to skip the above
} > steps or keeping ssh up to date, it's layer of obscurity on top of all
} > the normal security.
}  
} 
} This too might be a good idea, but wouldn't a port sniffer like nmap
} find the obscure port easily?


nmap can find an open port, but I don't know that it will
tell you what it is, it just looks up the names in /etc/services.

99.99% of people look for ssh on port 22 and don't bother checking
anywhere else.  It will get more results faster to scan port 22 on a
10,000 machines than to scan 10,000 ports on one machine looking for
ssh.  Pick a number that is unassigned and it's unlikely anybody will
ever check it.

-- 

   E Frank Ball                frankb at frankb.us

More information about the talk mailing list