Hacker News new | comments | show | ask | jobs | submit login

Personally I am so paranoid with SSH that I don't run it on the default port.

That alone allows you to avoid most attackers trying to guess valid server ips.

Now to put a honey pot on port 22.

Oh yes, the first thing I do is change the SSH port, eleminates 99,99% of the auth attacks.

Damn. Why didn't I ever think of that? I'm doing that tomorrow.

Remove root login over ssh and disable password logins and you are good to go. If you want to get fancy Google for ssh port knocking.

disable password logins

I can't emphasize this one enough. Unless you need to login from a lot of different machines, there really isn't any excuse not to do this. It also has the bonus of making logins really easy since you don't have to type a password.

If you host your systems on a VPS service like linode or slicehost then you have the backup of a web based console in case you screw up royally and have a HD crash on the one machine your SSH key was on (for example).

Heh, port knocking looks cool, might do that just for the heck of it on a server that only I use.

Also, yes, among with changing the port the only way that should be possible to get in is through 'keys.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact