My two cents: Using a nonstandard ssh port is good for dumping bots. True, you can easily do a port scan against a server and easily find all open ports nbd. But most off-the-shelf bots are looking for standard ports to penetrate. I know that when I format and reinstall the test server, as soon as I change the ssh port, bot noise goes down significantly. So, for a simple config edit and about 2 minutes of time, it seems worth the effort. It’s just one layer tho. And yes, it goes without saying to pick a port other than 22, 222, 2222, etc.
Comment on How to harden against SSH brute-forcing?
markstos@lemmy.world 1 week agoUsing a nonstandard port doesn’t get you much, especially popular nonstandard ports like 2222.
I used that port once and just as much junk traffic and ultimately regretted bothering.
irmadlad@lemmy.world 1 week ago
loudWaterEnjoyer@lemmy.dbzer0.com 1 week ago
How about 22222?
sugar_in_your_tea@sh.itjust.works 1 week ago
Oh, that one’s fine. Everyone knows that 5-digit ports add extra security, which is why WireGuard runs on port 51820 by default. /s
cmnybo@discuss.tchncs.de 1 week ago
It gets rid of most of the login attempts for me. I don’t use a popular port though. Pick a 5 digit port so they have to put in some effort to find it.
Xanza@lemm.ee 6 days ago
Using a nonstandard port doesn’t get you much
Uhh… It gets you a lot. Specifically, unless you know the port you can’t connect… So hey, there’s that…
This community really says shit sometimes that makes me go cross-eyed…
markstos@lemmy.world 6 days ago
The top-rated answer to this question on the Security StackExhange is “not really”. …stackexchange.com/…/does-it-improve-security-to-…
On Serverfault, the top answer is that random SSH ports provide “no serious defense” serverfault.com/…/does-changing-default-port-numb…
Or the answer here, highlight that scanners check a whole range ports and all the pitfalls of changing the port. Concluding: “Often times it is simply easier to just configure your firewall to only allow access to 22 from specific hosts, as opposed to the whole Internet.” …stackexchange.com/…/should-i-change-the-default-…
Xanza@lemm.ee 5 days ago
And I’m a CEHv7. A literal security professional–and I say that an overwhelming vast majority of attacks against servers using SSH are going to come over the default port. Quite literally 99%. This means that you can lower your attack surface by exactly 99% by simply changing the default SSH port…
Those posts provide no meaningful insight and what they say is by the very technical of all interpretations is correct, I absolutely disagree with these statements. What they mean to say is that simply changing the default SSH port isn’t alone I means of strictly protecting yourself. Meaning you shouldn’t change the default SSH port and think that your server is secured because it’s not.
Quite the different interpretation than me saying it should be mandatorily a part of your security strategy.
In protecting yourself against port scanning is trivial.
Anyone underestimating the power of changing The default SSH port is someone who’s opinion I can safely disregard.
markstos@lemmy.world 5 days ago
Do you have a source to cite for the literal 99%?
friend_of_satan@lemmy.world 1 week ago
My experience running several ssh servers on uncommon nonstandard ports for over 10 years has been that it has eliminated all ssh brute forcing. I don’t even bother with fail2ban. I probably should though, just in case.
Also, PSA: if you use fail2ban, don’t try tab completing rsync commands without using
controlmasteror you will lock yourself out.