[Klug-general] Hiding Port 22 on an SSH based VPN

[Karl Lattimer]

> You would do well to generate keys and only allow logins by this  
> method, as well as any firewalling. And certainly disallow root  
> logins by any method.
>
> I speak from experience of a server hacked.

AFAIK the only attacks against openssh are weak password and monkey  
in the middle with protocol 1.1, maybe a couple of buffer overflows  
along the way, but as long as your password isn't easy to break.  
Letters numbers capitals etc...  and you have upto date packages for  
ssh why not allow root logins! Sure when telnet was king it was  
prudent to use operator/wheel to login then su to root running the  
telnet process as operator/wheel, however this still has the same  
issues as allowing logins as root, as once you have shell access to a  
system its trivial to escalate privs.

I speak from experience too, poacher turned game keeper ;)

K,

PS. Easiest way to secure a server running Linux? Use a linux distro  
which comes pre-configured to be reasonably secure and not leave  
completely idiotic default settings which ship with most services,  
eg. sendmail which has pretty much always shipped with default  
configs which are laughable to most spammers.

I'm suggesting use redhat, as 90% of configuration is already done as  
long as you don't do stupid things you're pretty secure out of the box.