
Ask HN: Would completely disabling SSH be a good idea to make a server secure? - andrewstuart
As a backstop, in case hackers find some vulnerability via some other software on the system.<p>Maybe if there was no ssh running then they still couldn&#x27;t access the machine?
======
bifrost
You could although honestly you'd have to do it inside of a non-user-
modifiable environment. If you were using FreeBSD, you'd setup an SSLVPN to
the parent host IP and have SSH enabled over that. Then you'd put in a
firewall rule on the parent host that denied ssh out from the jail. Then you'd
run your app/etc under a Jail. You could do some of this with securelevels too
but if they ever popped the kernel you've got a bit more "gameover".

------
smacktoward
If they can get root access (which they’d need to modify SSH) via a hole in
some other package, it’s game over whether you have SSH turned on or not; they
could turn it on themselves, or install it if it isn’t installed, or install a
backdoor running over some other protocol instead.

