Using a nonstandard port doesn’t get you much, especially popular nonstandard ports like 2222.
I used that port once and just as much junk traffic and ultimately regretted bothering.
Comment on How to harden against SSH brute-forcing?
Xanza@lemm.ee 1 week ago
- Disable passwordless login.
- Disable password login.
- Require SSH keys
- Move SSH port to non-standard port
- Reject connections to port 22
- Install and enable fail2ban
About the best you can do.
markstos@lemmy.world 1 week ago
friend_of_satan@lemmy.world 1 week ago
My experience running several ssh servers on uncommon nonstandard ports for over 10 years has been that it has eliminated all ssh brute forcing. I don’t even bother with fail2ban. I probably should though, just in case.
Also, PSA: if you use fail2ban, don’t try tab completing rsync commands without using
controlmasteror you will lock yourself out.irmadlad@lemmy.world 1 week ago
My two cents: Using a nonstandard ssh port is good for dumping bots. True, you can easily do a port scan against a server and easily find all open ports nbd. But most off-the-shelf bots are looking for standard ports to penetrate. I know that when I format and reinstall the test server, as soon as I change the ssh port, bot noise goes down significantly. So, for a simple config edit and about 2 minutes of time, it seems worth the effort. It’s just one layer tho. And yes, it goes without saying to pick a port other than 22, 222, 2222, etc.
loudWaterEnjoyer@lemmy.dbzer0.com 1 week ago
How about 22222?
sugar_in_your_tea@sh.itjust.works 1 week ago
Oh, that one’s fine. Everyone knows that 5-digit ports add extra security, which is why WireGuard runs on port 51820 by default. /s
cmnybo@discuss.tchncs.de 1 week ago
It gets rid of most of the login attempts for me. I don’t use a popular port though. Pick a 5 digit port so they have to put in some effort to find it.
Xanza@lemm.ee 1 week ago
Using a nonstandard port doesn’t get you much
Uhh… It gets you a lot. Specifically, unless you know the port you can’t connect… So hey, there’s that…
This community really says shit sometimes that makes me go cross-eyed…
markstos@lemmy.world 6 days ago
The top-rated answer to this question on the Security StackExhange is “not really”. …stackexchange.com/…/does-it-improve-security-to-…
On Serverfault, the top answer is that random SSH ports provide “no serious defense” serverfault.com/…/does-changing-default-port-numb…
Or the answer here, highlight that scanners check a whole range ports and all the pitfalls of changing the port. Concluding: “Often times it is simply easier to just configure your firewall to only allow access to 22 from specific hosts, as opposed to the whole Internet.” …stackexchange.com/…/should-i-change-the-default-…
Xanza@lemm.ee 6 days ago
And I’m a CEHv7. A literal security professional–and I say that an overwhelming vast majority of attacks against servers using SSH are going to come over the default port. Quite literally 99%. This means that you can lower your attack surface by exactly 99% by simply changing the default SSH port…
Those posts provide no meaningful insight and what they say is by the very technical of all interpretations is correct, I absolutely disagree with these statements. What they mean to say is that simply changing the default SSH port isn’t alone I means of strictly protecting yourself. Meaning you shouldn’t change the default SSH port and think that your server is secured because it’s not.
Quite the different interpretation than me saying it should be mandatorily a part of your security strategy.
In protecting yourself against port scanning is trivial.
Anyone underestimating the power of changing The default SSH port is someone who’s opinion I can safely disregard.
semperverus@lemmy.world 1 week ago
Don’t reject connections to port 22, honeypot it and ban on connection attempt.
downhomechunk@midwest.social 1 week ago
I’d get myself banned this way. I forget the -p flag at least once per week.
sugar_in_your_tea@sh.itjust.works 1 week ago
That’s a lot more work.
ILaughBecauseFunny@feddit.dk 1 week ago
By all means, I am no expert, but isn’t it “just” the fail2ban?
sugar_in_your_tea@sh.itjust.works 1 week ago
Fail2ban blocks IPs that fail to connect repeatedly. A honeypot pretends fails worked and gives them a worthless environment to try to exploit. The purpose of fail2ban is to block attacks, the purpose of a honeypot is amusement and to waste attackers’ time.