[H-SASIG] Proposed changes to Excalibur

[Russell Stuart]

On Mon, 2009-11-30 at 16:40 +1000, Mark Suter wrote:
>    Running sshd on a port other than 22 does offer a little peace	
>    from the script kiddies that keep hitting port 22; however, it	
>    doesn't otherwise help security.	

True in a strict sense.  But if you run your eye over the logs looking
for something odd at the moment you will have a hard time seeing it
because of all the noise generated by the hammering we get on port 22.
It annoys me immensely.

>    I wrote http://zwitterion.org/software/ssh-https-tunnel/ to	
>    permit SSH to ports 443 and 563 via the UQ proxies, so port	
>    563 might be a better choice and 24.	

As I found out to my cost, proxies at UQ have changed somewhat.  I
thought there weren't any, but as it turns out they are transparent.  I
am not sure how your script would handle that - probably it isn't needed
at all.  I use my own version of your script for my purposes, which
works for ssh running on any port but requires other changes:
http://ace-host.stuart.id.au/russell/files/http-proxy-tunnel/

>    Sshd will happily run on multiple ports for a transition	
>    period, for example, 22, 24 and 563.  This would all the	
>    impact to be immediately judged.	

If 563 does indeed work from the meeting that would be a good reason to
use it.  I don't know why I didn't check, actually.  Still, I guess
being reminded to do such things is why we have sasig.