[H-SASIG] Proposed changes to Excalibur
Russell Stuart
russell-humbug at stuart.id.au
Thu Dec 3 02:39:44 EST 2009
On Thu, 2009-12-03 at 01:27 -0500, Robert Brockway wrote:
> * Statically blocking access at a firewall
Eh?
> * Disabling password access and using key auth only
Password access is disabled. It doesn't solve the log problem however.
> * Using fail2ban or a similar tool to dynamically block probes
This is more complex than simply moving the port, and can be used as a
DOS.
> * Port knocking
This is more complex than simply moving the port, is no more secure, and
requires people to know how to use it.
> Changing the port causes problems with access[1].
For most of Humbug's history we have had problems with access, as port
22 was blocked. We had to go through substantial hoops to get around
that - bigger than a mere port change, yet I don't recall it causing a
major problem for SysAdmin's. Given it didn't I can't imagine how a
different port could be a big issue. The bottom line is when it comes
to port which number to use is more a matter of personal preference than
anything else. So of all the arguments against moving excalibur to this
new scheme, I see the sshd port number change as the weakest.
> People who may need access can't infer the port.
Yes, well they will need a few details won't they - like their user
name, host name, and ssh key. If they are like me, they add it to their
~/.ssh/config.
Do want us to take a vote on this move, Rob?
More information about the Sasig
mailing list