[lug] Re: What to do about SSH attacks

[Lee Woodworth]

 > Sean Reifschneider wrote:
 >
 > Coincidentally, I just wrote something up on this in my journal:
 >
 >    http://www.tummy.com/journals/entries/jafo_20041029_151145
 >
 > We just launched the new tummy.com web site earlier this week and among
 > the things that it includes are Blogs or journals for us to publish
 > things in.  I'm trying to make one entry per day on things of interest.
 >
 > Sean

Looks good. Is the reason you are restricting sshd to using unused 
privileged ports is that it makes it easier to guarantee the port will 
be free on a reboot? Are there other reasons not to use the full port 
range? It seems like the privileged port range is scanned more than the 
complete range, so using higher ports may discourage the casual attackers.

Any thoughts about disabling version 1 of the SSH protocol alogether? 
OpenSSH, Putty and F-Secure all support Version 2, so my clients haven't 
had problem with version 1 being disallowed.

If you have internal/external interfaces on a gateway machine, it may be 
worthwhile to run two sshd instances. One listens on port 22 on the 
internal net only (see the ListenAddress directive) and could allow 
passwords (if you trust the internal machines). The other listens on a 
non-standard port on the external interface and only allows public keys.