[Ach] Feedback to applied-crypto-hardening.pdf - Webservers - OpenSSH

Aaron Zauner azet at azet.org
Fri Dec 22 16:38:31 CET 2017

> On 22 Dec 2017, at 13:32, Sebastian <sebix at sebix.at> wrote:
> On 12/22/2017 01:02 PM, Alice Wonder wrote:
>> On 12/22/2017 03:57 AM, Torge Riedel wrote:
>>> Maybe there is one hint to offer in the guide: Change the port of sshd
>>> to somewhat else than 22. I observed massive reduction of sshd attacks
>>> on my servers after changing the port.
>> Indeed, that's fairly standard. Wasn't aware it wasn't in the guide.
> Because it's not cryptography.


This discussion regularly comes up in GitHub PRs as well. If you use passwords so weak that there is a real possibility that it can be bruteforced, you should review your password policy, probably switch to using only keys et cetera. If you don't care for a lot of entries in your logfiles on possible attackers (I think that's potentially valuable doing e.g. forensics on a machine) you can use simple filters, fail2ban or other tools. There's no real security in changing the ssh standard port. Most attackers that scan also scan ports that are regularly used as alternatives '222..'

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.cert.at/pipermail/ach/attachments/20171222/9ab75cb3/attachment.sig>

More information about the Ach mailing list