Security by obscurity eliminates all (100%) of this automated scans and automated attacks. So, having SSH on port 63023 (for example) and seen probes, you can be 100% sure that someone have SPECIFIC interest in your site, and so you can spend time and investigate, what he is looking for (by, for example, allowing to break into sandbox). It is impossible with port 22, because 99.9% of this _attempts_ will be just _blind search attempts_, so you will not be able to concentrate on _really dangerous_ specific interest to your (because if I want to break into your site, and if I am serious, then it is only matter of time when I succeed - for example, I can use insiders, janitors, faked messages etc... so it is quite important of see such attacks from beginning, in clear field, and to prevent them by non-technical methods in addition to technical ones). It is like 'NO TRESPASSING' sign on your private road - having this sign, you can be (relatively) sure, that if you see intruder, he is (1) burglar, (2) someone who lost in space and want to ask _where I am_, (3) FedEXP delivery guy, but not just _strolling around one without any goal_. It is first line selection, which is quite important because it decrease number of events in thousands times. Of course, this is only SIGN. Add good fence, rifle etc (castle, water channel, draw bridge, knights -:)) if you have something which bad guys are interested in. But post NO TRESPASSIGN first of all. ----- Original Message ----- From: "Suresh Ramasubramanian" <ops.lists@gmail.com> To: "Alexei Roudnev" <alex@relcom.net> Cc: "Patrick W. Gilmore" <patrick@ianai.net>; <nanog@nanog.org> Sent: Saturday, November 19, 2005 7:02 PM Subject: Re: a record? On 11/20/05, Alexei Roudnev <alex@relcom.net> wrote:
Other approach exists as well - SecureID on firewall. Login to firewall, authenticate, and have dynamic access list which opens ssh for you (and still keep ssh on port != 22).
Or VPN in, or set up a tunnel of some sort. Have ssh available over the tunneled interface. Yup, lots of options available. Though, if you have a secure ssh and reasonable control of your passwords it is probably safe to leave it at port 22 rather than resorting to security by obscurity measures like running it on a higher number port or (as at least one webhost does) running it on 443, with some kind of shim listening on that port, intercepting requests to it and redirecting them to apache or sshd as appropriate.