Re: status: hints on how to check your machine forintrusion

From: Henrique de Moraes Holschuh
Date: Sat Oct 01 2011 - 17:23:29 EST

On Sat, 01 Oct 2011, Willy Tarreau wrote:
> > > I haven't allowed sshd to run on port 22 in more than 10 years.
> >
> > I use to do that a long time ago, but I ran into issues because of it.


> 443 is pretty nice for connecting from unexpected places ;-)

The better IPS/IDS-protected corporate networks are likely to get annoyed by
SSH signatures showing up on unexpected flows. Such networks typically will
also object to non-SSL flows of any sort over port 443.


> > I probably can go back to a non 22 port without much issue. I have added
> > a bunch of personal checks to this box that gives a report every day. I
> > may add more (from what was posted in this thread already). I also have
> > logwatch and rkhunter running, and just added chkrootkit now.
> >
> > But moving the ssh port again may be a good idea. But I like stressing
> > your net filtering code ;)
> BTW ipset is particularly suited for this.

And fail2ban is a ready-made solution to firewall anything that is loitering
around. It is quite popular, so it is likely already packaged by the

There is no reason to move SSH from port 22, it is just plain safer to use
port-knocking if you want it unreachable most of the time. You should also
avoid password-guessing attacks entirely (some botnets can do distributed
low-speed password guessing attacks, I've seen it happen at work) by always
requiring pubkey auth as one of the credentials.

"One disk to rule them all, One disk to find them. One disk to bring
them all and in the darkness grind them. In the Land of Redmond
where the shadows lie." -- The Silicon Valley Tarot
Henrique Holschuh
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at
Please read the FAQ at