Yes, and it would have been so much better if you could have been as verbose the first time you posted, instead of making it sound like the port change would magically make the box more secure. Yes, his logs will be clean now (expression borrowed from unixfool), but he is still just as vulnerable as he was before. Hopefully he'll implement some of you guys' other suggestions in the near future. It would IMHO be a huge waste if someone with security concerns ends-up only taking measures which essentially add up to nothing more than a cosmetic improvement.

Risk = Threat X Vulnerability X Asset Value.

I think people who advocate changing the port are focusing on the threat (worms, botnets, and attackers doing port sweeps). The people who say that isn't effective and you're still just as vulnerable are focusing on the vulnerability part of the equation. Whether you focus on the threat or vulnerability, you're reducing risk which is a good thing.

FWIW, I agree with you on this. Math rules!

EDIT: I would just add that even though the threat might be reduced a little with regards to automated attacks, it isn't reduced regarding determined attackers. That is a key point, and has a great effect on the equation IMHO. By focusing on the underlying vulnerabilities, risk is reduced way more - which brings us back to the "it's not the only thing you should do" thing, yada yada.

Hi,Thanks for all the info.

I've done the following steps.

* Changed the port
* I've lowered the LoginGraceTime to 30 seconds
* I've made the MaxAuthTries 2
* I've changed MaxStartups to 3:50:10
* I've disabled root login onto the box,although i need it for some backups,so i did the following
PermitRootLogin forced-commands-only
PermitRootLogin yes
* I only enabled ssh for one user,and i made the username and password solid.

I'd like to enable just ssh-keys authenitication,and play around with hosts.deny,and so on,but currently my logs seems much better,so i'll monitor this before i start playing with that.

Also,how can i check,if someone got in,for possible backdoors on my system.What tools can i use?I'm busy going through all my servers logs now,I've noticed the following on one of them..

What does this mean?

Thanks

You are MUCH better off disallowing root login and using either su or sudo to do root work over an SSH connection.

This is the root cause of why I complain about moving ports in the first place. Absent any other changes, this is a false sense of security. Just because you're not getting pounded doesn't mean that the next try won't succeed.

What it means is that the SSH server wasn't able to verify that the address being used is legit. In other words, someone is spoofing IP addresses or domains. If this occurred on your new SSH port, then they've found you again.

You could use chkrootkit and rkhunter to look for things. You should also look through your logs and see if anyone actually managed to log into SSH that you don't recognize. Also look through the output of lsof -i and see if there are any services listening that you don't recognize. Looking at root's .bash_history couldn't hurt either. You also might want to install Aide, Samhain or Tripwire to monitor the status of the files on your computer. These won't stop a break in but they can tell you what was done.

Of course none of this makes any difference if you actually were compromised as the skilled crackers will take steps to hide their steps from the normal sorts of approaches and checkers like Aide won't detect a break in if they are installed after it occurred.