> A future bulk-scan may leverage a new SSH-exploit before you know it exists.
Sure, this is true. I consider this a "minor" issue, truth be told (I didn't want muddle up the conversation) I don't tend to run sshd faced towards the 'public' internet and in the cases where I do, ssh access is restricted to certain hosts/networks, and is enforced by a firewall.
> The rest of your recommendations is security theatre
Can you state why? I think they all provide measurable/real benefit, if this isn't the case I'd welcome some education.
Hm. I will give you that AllowUsers,AllowGroups is not a very good benefit in this case, I mainly enforce the usage of those directives to protect against problems such as bogus user account creations (exploit created or something simple as a admin mistake).
>An attacker dedicated enough to find your SSH-port
And Now for Something Completely Different.
Protecting against a dedicated attacker is a totally different ball game then protecting against drive-by's.
Sure, this is true. I consider this a "minor" issue, truth be told (I didn't want muddle up the conversation) I don't tend to run sshd faced towards the 'public' internet and in the cases where I do, ssh access is restricted to certain hosts/networks, and is enforced by a firewall.
> The rest of your recommendations is security theatre
Can you state why? I think they all provide measurable/real benefit, if this isn't the case I'd welcome some education.
Hm. I will give you that AllowUsers,AllowGroups is not a very good benefit in this case, I mainly enforce the usage of those directives to protect against problems such as bogus user account creations (exploit created or something simple as a admin mistake).
>An attacker dedicated enough to find your SSH-port
And Now for Something Completely Different.
Protecting against a dedicated attacker is a totally different ball game then protecting against drive-by's.