[2024-feb-29] Sad news: Eric Layton aka Nocturnal Slacker aka vtel57 passed away on Feb 26th, shortly after hospitalization. He was one of our Wiki's most prominent admins. He will be missed.
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
howtos:security:ssh [2012/09/23 03:27 (UTC)] – [Sources] added the author tag mfillpot | howtos:security:ssh [2013/11/15 11:36 (UTC)] (current) – [Alternate method of Changing the SSH default port with out changing] ricky_cardo | ||
---|---|---|---|
Line 44: | Line 44: | ||
'' | '' | ||
+ | |||
+ | |||
+ | ===== Alternate method of Changing the SSH default port without changing | ||
+ | |||
+ | This suggestion is completely lifted from another site [[http:// | ||
+ | The idea here is add a call to this script in rc.local so it will run at start up. | ||
+ | |||
+ | To use Download sample at the bottom change as you like and save it in / | ||
+ | Add this sample below to / | ||
+ | |||
+ | #add ssh_hide to port 8889 | ||
+ | if [ -x / | ||
+ | / | ||
+ | fi | ||
+ | | ||
+ | What it is doing is making it look like you changed the port ssh is using and provide some additional security. | ||
+ | What happens is scanners will continue to see port 22 open and try to go there while your server drops those packets, because the header is not mangled. | ||
+ | |||
+ | <file bash rc.ssh_hide> | ||
+ | #!/bin/bash | ||
+ | |||
+ | ###### | ||
+ | ######Next, figure out what port or ports you want to do SSH over. | ||
+ | ######Were going to use 99, 88, and 8889 here. | ||
+ | ######Now we take care of the Hypothetical Evil Unprivileged User | ||
+ | ######by not accepting anything over those ports in the first place. | ||
+ | ######This is only effective for port 8889 but well do all three ports for the sake of completeness. | ||
+ | |||
+ | / | ||
+ | |||
+ | ######Then, pick a number between 1 and 4294967295 Ill use 0x13F () | ||
+ | ######Were going to tell iptables to reject anything without this mark coming into port 22. | ||
+ | |||
+ | / | ||
+ | |||
+ | ######Now well tell iptables what ports we will accept for ssh. | ||
+ | |||
+ | / | ||
+ | |||
+ | ######In the mangle table we slap our mark on these packets. | ||
+ | |||
+ | / | ||
+ | |||
+ | ###### | ||
+ | |||
+ | / | ||
+ | |||
+ | exit 0 | ||
+ | </ | ||
+ | |||
+ | Note not ipv6 compatible, due to nat (ip6tables not supporting nat) | ||
+ | |||
===== Forbid root access to your machine ===== | ===== Forbid root access to your machine ===== |