SSH Port Change
Hello.
So the basic of basic you can do to protect your server is to change the SSH port. I think we can all (well, at least most) agree that this is a basic step to setting up any server following OS installation.
- However, change port to what?
- How many digits?
- Should repeating numbers be avoided?
- Should it be different for all of your servers?
How do you keep track of the ports?
Finally, firewal or no firewall?
Firewall blocks ports not in use so maybe it can be easy for hackers to run a port scanner to find which ports are open. What if all open ports not in use are forwarded to a catch all service that does nothing? Will that improve security?
Do let me know what you think.
Comments
How many digits?
Should repeating numbers be avoided?
Should it be different for all of your servers?
How do you keep track of the ports?
Or simply limit connection by specific IP (host.allow/host.deny) and enjoy your life like no tomorrow.
Nexus Bytes Ryzen Powered NVMe VPS | NYC|Miami|LA|London|Netherlands| Singapore|Tokyo
Storage VPS | LiteSpeed Powered Web Hosting + SSH access | Switcher Special |
Except that my IP keeps changing (dynamic IP) so thats not a option unless I setup a VPN server specificly for this. But if the VPN server dies, all my servers die with it. So ya...
Somik.org - Server admins cheat codes
Multiple VPN? a cheap SSH jumpbox for backup purpose, like one of those $12-15/year services. Because even if you change your port, it isn't too hard to scan ports.
Also something like fail2ban should helps.
Nexus Bytes Ryzen Powered NVMe VPS | NYC|Miami|LA|London|Netherlands| Singapore|Tokyo
Storage VPS | LiteSpeed Powered Web Hosting + SSH access | Switcher Special |
-4 digit
-same port for all server
-not blocked by firewalls (my ip is dynamic too)
-and no password login only key (root login disabled too)
Why not wireguard? So the server's public IP is firewalled for SSH but accessible via the WG interface so all private and protected. Plus you can have a mesh of all your servers in the same address space reachable via multiple paths if required.
Second option is to use something like https://github.com/mrash/fwknop - opens up the SSH port only when you (cryptographically) knock. Very useful but requires server + client side setup (very straightforward but still...)
Irrespective of the reachability of your SSH server it is important to ensure you have only (public) key based logins (along with a few tweaks to the
MaxAuthTriessettings to throttle things just in case).Technically it shouldnt matter much, what port number you choose. That being said, i would suggest not using one of the more commonly used ports. ( https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers )
I usually go with 4 or 5. But that is just personal preference. you might want to read the bit about privileged port numbers and consider that.... (https://www.w3.org/Daemon/User/Installation/PrivilegedPorts.html )
This has no effect on anything as modern port scanners are relativly fast. The only thing that changing the port number accomplishes, is that automated scanners going for the same port across all of the "internet" are not picking up on it. With single target/specialized attack attempts this does not really improve security.
As with #3 it doesnt matter that much. It just discourages automated attacks that just go for a single port (or potentially a couple fixed ones on each system).
If you want to more...You could set up a dedicatred management network, where all your ssh/.... instance are reachable and use a jumphost (w. vpn,..) to connect to it. Alternativly you could look into a combination of port knocking ( https://en.wikipedia.org/wiki/Port_knocking ) and automated blacklisting if too many connection attempts are made on ports of the system that are not in use.
% cat .ssh/config Host givetheserversomename HostName insert-ip-or-dns-name-here Port 1337 User yoursshusergenerally yes. as you can surpress unwanted outbound connections......
(But please forget the whole "it can be discovered myth", as it can and will be discovered if someone wants to....)
★ MyRoot.PW ★ Dedicated Servers ★ LIR-Services ★ Web-Hosting ★
★ Locations: Austria + Netherlands + USA ★ [email protected] ★
I'll look into wireguard, but it looks complicated to setup.
Fwknop, never heard of it. I'll see how far i can go with it.
Thanks. Your reply is much simpler to follow.
Somik.org - Server admins cheat codes
I guess the main thing to consider is that the vast majority of attempted brute force attacks come in following a port scan, so any none common port is fine that said I would avoid 2222 as that is also commonly scanned.
people looking to brute force ssh are usually working on bulk so just not using port 22 in the majority of cases will remove 99% of all the shitty traffic.
none standard port and use key based auth.
https://inceptionhosting.com
Please do not use the PM system here for Inception Hosting support issues.
+1 everything @SGraf said.
https://phpbackend.com/
why not explore https://gravitational.com/teleport .
https://gravitational.com/teleport/docs/quickstart/
Let me stop you right there and ask :
Have you disabled password authentication after adding your public key to authorized_keys file?
Second layer might be a fail2ban rule that bans IP for 2-5 days if more than 5 attempts in 30mins.
Another thing I've decided is useful , is adding a DROP rule for CN, BR and RU ipset in iptables. (maybe just port 22? )
that's actually a really good idea.
https://inceptionhosting.com
Please do not use the PM system here for Inception Hosting support issues.
Has anyone tried 2FA with SSH? Looks like you can 2FA any damn thing these days.
Deals and Reviews: LowEndBoxes Review | Avoid dodgy providers with The LEBRE Whitelist | Free hosting (with conditions): Evolution-Host, NanoKVM, FreeMach, ServedEZ | Get expert copyediting and copywriting help at The Write Flow
That's actually a great idea.
from personal experience it sounds great, until it stops working....
★ MyRoot.PW ★ Dedicated Servers ★ LIR-Services ★ Web-Hosting ★
★ Locations: Austria + Netherlands + USA ★ [email protected] ★
Sadly I also don't think there's a way to combine 2FA with public-key logins.
Authentication seems either, password only mediated by SSH handled by PAM, public key mediated by SSH handled by SSH, or password/2FA/others combined mediated and handled by PAM.
Public key still seems the better option, and more flexible for locking down with 'from=' and 'command='.
If anyone does know a way to combine keys with 2FA I'd be fascinated to know.
Why should it stop working?
2FA via PAM should work just fine in combination with pubkey auth for ssh
I agree with you there. If there is a targetted attack on my server, there is very little I can do, given my knowledge, except just turn it off for a few days and hope they go away. That being said, I doubt I'll be targetted for hacks given that I do not provide any services from my websites. I'm mostly worried of the generalized attacks.
Not sure how to do the IP whitelist for SSH, but sounds like a good idea. Anyone has any "for dummies" tutorials on it?
I had setup the fail2ban rule previously. It came with Virtualmin that time. Now I am not using any panels so I'll see how to get it working without it coming preinstalled.
Looked at it. Tried the google authy thing. Gave up on it. Instructions unlcear, penis stuck in SSH.
That would be the best solution, but 2FA and password authentication is still good enough.
That happens when you dont sync your server time with NTP and your server time goes out of sync. 2FAs are based on time, so even 30s time out of sync is enough to completely break it.
All the tutorials I saw only talked about password auth though.
Somik.org - Server admins cheat codes
Scratch that, this tutorial worked fine: https://ubuntu.com/tutorials/configure-ssh-2fa
Turns out, my ssh client was the issue on the windows machine. Putty is the way to go. On linux/mac, terminal (or terminal emulator) works fine with TOTP.
Although I do wish there was a non-google way to go about it...
Somik.org - Server admins cheat codes
A non-Google authenticator app? There are several here. FDROID
Edit: Oh I think you meant the PAM bit.
Use libpam-oath and Authy if that makes you feel better.
Or whatever other app you feel comfortable with.
https://www.g2.com/categories/multi-factor-authentication-mfa
I've always considered public key logins to be 2FA - something you have ( the key file ) and something you know ( the password to the key file ). It's not OTP but it is 2FA.
Ya, cause I'm using TOTP Authenticator app for android on my phone... My chinese phone that runs google's android... Nevermind. I guess google's authy will do fine.
Looks like google was the easiest to setup. Now I just have to ensure my server time sync doesn't break as I only have a few offline keys to login without the TOTP...
Somik.org - Server admins cheat codes