It would be really nice to be able to validate the remote MAC address as well. It's just a shame that information is only transmitted on a local network.

Now, what I am surprised wasn’t mentioned in the article was… don’t use password logins? But Passphrase protected RSA public keys! Carry them with you on your USB stick if you must, too.

In the real world, you will almost never get scanned on every port. Which would you rather do as an attacker, scan 65000 machines on port 22, or scan one host on 65000 ports?

If your goal is top stop annoying brute force scans and 0day attacks, changing the ssh port is the single most effective thing you could do. If your goal is to stop specific directed attacks, then you sure as hell should be employing EVERY single method you can think of.

Disabling password auth and some other methods aren’t going to help you if there is a 0day vulnerability. Changing the port will.

Personally, I only allow ssh conections from trusted networks. When that isn’t possible, I run ssh on a random port.

First, check the logs. Nothing is more informative. Keeping SSH on the default port allows script kiddies across the planet chances to control your box. As such, everything is in the logs.

Second, recognize that 99% of attacks on SSH are automated. There is no human pilot behind these attacks. They are scripts running on zombie machines. And, these attacks are looking at the default port for SSH. Nothing more.

Third, realize that changing your port GREATLY REDUCES the attacks. Check the logs for verification after the change. Notice a difference? It’s because the attacks are no longer effective, as they are still working on your de

As such, even though crackers have tools to scan ports, and find the port you are using for SSH access, the fact of the matter is, it’s just not happening. As such, you have just increased the security of your server my moving the port number.

It’s not a false sense of security at all. Sit on port 22, and take the attacks, or move the port, and reduce the number of attacks 99.99%. The ball is in your court.

Someone on planet Debian wrote a response to this post that is very noteworthy…
http://blog.drinsama.de/erich/en/linux/2007021502-false-sense-of-security

Couldn’t agree with it more.

Changing the port, by contrast, does nothing to increase security. As someone already pointed out, an attacker can very quickly find SSH on whatever port you’re using with nmap -sV.

I do recommend eliminating password authentication for SSH. If you need to secure a machine and allow SSH access, require public key authentication. You may also want to run some system like DenyHosts to block access after some number of failed login attempts. (DenyHosts works by adding the offending IP address to /etc/hosts.deny. I prefer to add it to a “banned” table in pf, but either method can be effective.)