Jaime Santos wrote:
Hi again,
If someone is using a script to probe port 22 of random machines, I see half a dozen or more each day, on each machine. Believe it's happening.
probably it does make sense to attach the ssh server to some other port. But your users will have to be warned that they have to explicitly name such a port when trying to login remotely. Furthermore, a nmap search for open ports can always reveal the services which are available, but this is a directed attack. Given the nuisance (such strategy is essentially security via obscurity), I think it isn't worth doing it.
nmap or equivalent's always being run too. However, generally the assumption is that port 22 is ssh because that's where ssh is. What I've found works a treat is to use /etc/hosts.{allow,deny} to restrict connexions to my region, determined by networks from which known-good connexions come. Since I did that some months ago, over several machines I've had thousands of connexions rejected because they're from out of area, and maybe one that tried his dictionary. I also moved incoming connexions to a different machine where users who can't connect from remote can't authenticate. Another good idea, but one that requires more work to set up, is to set up a VPN: I use openvpn. The VPN authenticates, and yoiu can trust people with a VPN better than you would the average Joe, Guiseppe or Josephine. You still have to control the VPN keys as you would any password.