Hacker News new | comments | show | ask | jobs | submit login

How can people not run a restrictive firewall on their externally-accessible boxes? EC2 even has this built in as a network-wide feature. Our production servers run with the following setup:

* block everything from outside internal network

* open port 80 on web server

* open port 22 on all boxes, but only allow key-based authentication. Oh, and only allow connections from an ip whitelist.

The restrictions on port 22 are probably a little overkill, I admit.

Restrictions on port 22 are NEVER overkill. In fact, you should run another port entirely.

If you're already using key authentication, that doesn't add much security. A port is just a very short password shared by all users--- instead of logging in with "I'd like to login, please initiate public-key authentication", you now have to login with "I'd like to login, the magic number is 2222, and please initiate public-key authentication", which isn't really any more secure.

Call me an engineer, but I don't understand why anyone would dismiss security through obscurity just because it's theoretically useless. If you can reduce the lifetime expected value of successful attacks on your system, it should be considered a win regardless of how you do it. (Of course, relying solely on security through obscurity is a sure-fire way to greatly increase said EV.)

It will deflect a lot of network-capacity-wasting opportunistic attempts if the masses don't even realise there's an SSH port there.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact