Hacker News new | ask | show | jobs
by spindritf 4638 days ago
> If you want to keep log sizes manageable, adjust your logging levels.

Changing the port is a really good and simple fix. If you also drop packets to closed ports instead of rejecting them, you slow the scan down enough that only a targeted attack is likely to find your ssh port.

All that with no performance penalties, no cumbersome configuration, no experimental software, with one change to one config file. I say do it.
2 comments
tptacek 4638 days ago
I'm not a fan of changing the SSH port, but at least I get what that buys you.
link
teddyh 4638 days ago
Changing port is the wrong solution to large log files. This seems obvious to me, but maybe I can put forward another drawback of changing the port number: It is confusing.

I mean, you could easily stop using the DNS and use raw IP addresses for everything - this should cut down on your attacks and maybe even spam, right? Nobody does this because it it insanely inconvenient, and ignores the solution to this inconvenience which DNS is. Standardized port numbers exist for many reasons - do not abandon them and create complexity for your fellows merely for your personal convenience.

link
spindritf 4638 days ago
> I mean, you could easily stop using the DNS and use raw IP addresses for everything - this should cut down on your attacks and maybe even spam, right?

No, it wouldn't. But you do have a point. And most sysadmins don't let just anyone axfr their zone.

Like changing the port, it's not a security measure and it will inconvenience someone every once in a while. Still, I don't need to advertise every host I run.

Same with using a PO box or your provider's info for whois. It's not going to deter anyone determined but it cuts down on some casual annoyances.

EDIT: Also, setting the port

    Host *.whatever.net
     IdentityFile ~/.ssh/whatever
     ServerAliveInterval 10
     port 17022
in ssh config costs you nothing, one more line in a config you'd have to write anyway.
link
teddyh 4638 days ago
> it's not a security measure and it will inconvenience someone every once in a while

So why do it? And port knocking will inconvenience every user, all the time.

> setting the port in ssh config costs you nothing

It costs complexity for all users of the system. This includes you, all other people using it, all servers and their services wanting SSH access, etc. Standards are a good thing.

link