Securing SSH access
lists at kittypee.com
Tue Apr 22 14:55:28 MDT 2008
On Tue, 2008-04-22 at 11:55 -0600, Steve Morrey wrote:
> Or just set it to something way off in the boonies but be consistent
> For instance almost all of my servers have SSH at 2774 which if you
> look at
> it on a phone turns out to be 2SSH or my secondary SSH port. How hard
> is it
> to type ssh myserver.com -luser -p2774
> For the extra bonus of rarely (or never) seeing a dictionary attack I
> the extra 6 keystrokes are totally worth it. But you do have to use
> something you can remember and use it consistently
First of all, I see tons of extra keystrokes in there.
Most of the time I just type "ssh server". That's it, username is the
same everywhere, and the port is always the default. It would take an
additional *7* characters to change the port " -p2774", don't forget
that space, it still counts. Also compare the 7 extra characters in
relation to the total command. "ssh server" 10 chars vs. "ssh server -p
2774" 17 chars. Almost a 60% increase in the length of the command. To
me, 60% is *not* negligible.
Also consider the number of times a day I actually run ssh, about 30-60
times a day on average. It is a big deal.
So I see two options to reduce the work to a one time operation:
1. setup my ~/.ssh/config file for all possible contingencies
2. Secure my public ssh servers very carefully.
I'll leave it on port 22, and just practice good security.
More information about the PLUG