You are not logged in.

#1 2008-07-23 22:54:21

crouse
Arch Linux f@h Team Member
From: Iowa - USA
Registered: 2006-08-19
Posts: 907
Website

Why changing the default port on ssh is a good idea.

Thought some of you might find this interesting. No one gets in, but it's funny how just changing the port number on ssh will stop 99.99% of the stupid attacks (some random bot repeatedly attempting to gain access) .  Several other things SHOULD be changed in the ssh config file also, not just the port number, but this one provides the most eye opening reasons to be secure.

Installed server on Jul 17th ..... less than 5 days later, well, you get the idea.
wtmp begins Thu Jul 17 21:57:08 2008

[root@VistaCrusher1 ~]# lastb | wc -l
25349

Needless to say, I'll go change that shortly, along with several other security precautions.  I just wanted to see how many hits I'd get in 5 days smile  That, and I wanted to see who came back wink

Offline

#2 2008-07-24 00:03:48

toofishes
Developer
From: Chicago, IL
Registered: 2006-06-06
Posts: 602
Website

Re: Why changing the default port on ssh is a good idea.

iptables ftw. This is the ruleset I have set up on my WRT54GL with OpenWRT installed, works like a charm and saves any hassle of having to specify a port argument for everything from ssh to scp and git pulls over an ssh connection.

### START SECURITY RULES ###
# Don't limit SSH from known addreses
# xxx.xxx.xxx.xxx
iptables        -A forwarding_wan -p tcp --dport 22 -s xxx.xxx.xxx.xxx -j ACCEPT

# SSH rate limiting from unknown IP addresses
# Allow 2 chances in 10 minutes to connect, reject after that
iptables        -A forwarding_wan -p tcp --dport 22 -m state --state NEW -m recent --set
iptables        -A forwarding_wan -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 600 --hitcount 3 -j DROP

Offline

#3 2008-07-24 01:20:48

crouse
Arch Linux f@h Team Member
From: Iowa - USA
Registered: 2006-08-19
Posts: 907
Website

Re: Why changing the default port on ssh is a good idea.

Yes, that does it too, but at the expense of cpu cycles (not that that's a huge deal or anything), whereas simply changing the port will stop 99.99 % of them. I have servers that have the ssh port set to non-standard ports, and zero hits in over two years. So, if I change ports AND add the IP tables rules, AND change some more settings in the sshd_config file, even better smile  I just thought it was very telling. I knew port 22 got hammered at times by attackers, just didn't think it was THAT rampant. It had been so long since I'd had a port 22 open, that I was a bit suprised at the results.

Offline

#4 2008-07-24 17:19:46

phrakture
Arch Overlord
From: behind you
Registered: 2003-10-29
Posts: 7,879
Website

Re: Why changing the default port on ssh is a good idea.

It helps too it you make sure the port is outside a default nmap scan. I usually use a 5 digit port.

Additionally, setting the delay between password attempts to something obscene is usually fun (like 10 seconds). It stops that crap real fast

Remember? I'm the one who got hacked, here

Offline

#5 2008-07-24 17:51:22

jo3
Member
Registered: 2007-08-18
Posts: 112

Re: Why changing the default port on ssh is a good idea.

phrakture wrote:

Additionally, setting the delay between password attempts to something obscene is usually fun (like 10 seconds). It stops that crap real fast

Is that done with the LoginGraceTime option?

Offline

#6 2008-07-24 18:33:43

daf666
Member
Registered: 2007-04-08
Posts: 470
Website

Re: Why changing the default port on ssh is a good idea.

I intentionally use the default port without IPTables.. I like it that my computer is a living breathing Internet node..  I do not pheare the h4x0rs

Offline

#7 2008-07-24 19:42:25

shining
Pacman Developer
Registered: 2006-05-10
Posts: 2,043

Re: Why changing the default port on ssh is a good idea.

toofishes wrote:

iptables ftw. This is the ruleset I have set up on my WRT54GL with OpenWRT installed, works like a charm and saves any hassle of having to specify a port argument for everything from ssh to scp and git pulls over an ssh connection.

Using .ssh/config also saves me any hassle when using a random port.
one example here : http://lookherefirst.wordpress.com/2007 … nfig-file/


pacman roulette : pacman -S $(pacman -Slq | LANG=C sort -R | head -n $((RANDOM % 10)))

Offline

#8 2008-07-25 01:49:32

crouse
Arch Linux f@h Team Member
From: Iowa - USA
Registered: 2006-08-19
Posts: 907
Website

Re: Why changing the default port on ssh is a good idea.

The /etc/ssh/sshd_config file has TONS of options that will severly limit any types of intrusions via ssh.

Set default port to high non-standard port.
Set time to login to a low number
Set allowed users !!!!
Set number of login attempts and time it locks out bad attempts
Set allowed IP addresses
Disable root login

all sorts of good stuff in there...... definately worth changing many of the defaults.  wink
It can take you from 25,000 attempts in 5 days.......to ZERO in two years.  The config file changes are very simple to implement. 

Now, I must say, I DO like toofishes iptable rules big_smile big_smile  ----- I did copy that for future reference smile
I am about 99.99% sure I won't ever need it, as ssh is a great tool all on it's own, but if I ever get uber-paranoid, what the heck, I'll use it as well smile

Last edited by crouse (2008-07-25 01:50:21)

Offline

#9 2008-07-25 05:32:52

robmaloy
Member
From: Germany
Registered: 2008-05-14
Posts: 263

Re: Why changing the default port on ssh is a good idea.

can i set sshd to listen on 22 for 1 specific IP address? my company's socks proxy wont let me use another

or should i use iptables for that?


☃ Snowman ☃

Offline

#10 2008-07-25 07:10:44

tomk
Forum Fellow
From: Ireland
Registered: 2004-07-21
Posts: 9,839

Re: Why changing the default port on ssh is a good idea.

robmaloy wrote:

can i set sshd to listen on 22 for 1 specific IP address?

crouse wrote:

Set allowed IP addresses

Offline

#11 2008-07-25 17:30:10

robmaloy
Member
From: Germany
Registered: 2008-05-14
Posts: 263

Re: Why changing the default port on ssh is a good idea.

tomk wrote:
robmaloy wrote:

can i set sshd to listen on 22 for 1 specific IP address?

crouse wrote:

Set allowed IP addresses

i should properly describe what i want wink


i want to use port 22 for my IP at work and port XYZ from anywhere else (we can only SSH through a socks server)

solution (if anyone interested):
iptables -t nat -A PREROUTING -p tcp -s $IP_AT_WORK --dport 22 -j REDIRECT --to-port $CHANGED_PORT

Last edited by robmaloy (2008-07-25 17:31:38)


☃ Snowman ☃

Offline

#12 2008-07-25 17:54:48

.:B:.
Forum Fellow
Registered: 2006-11-26
Posts: 5,819
Website

Re: Why changing the default port on ssh is a good idea.

You can e.g. have dropbear listening on multiple ports at the same time. I don't know if that works for OpenSSH.

As for restricting logins, you could implement two firewall rules:
- allow logging in over port 22 only from IP xx.xx.xxx.xxx
- allow logging in over port XXX from all other addresses


Got Leenucks? :: Arch: Power in simplicity :: Get Counted! Registered Linux User #392717 :: Blog thingy

Offline

#13 2008-08-11 18:21:18

meqif
Member
From: Portugal
Registered: 2006-12-16
Posts: 60
Website

Re: Why changing the default port on ssh is a good idea.

toofishes wrote:

iptables ftw. This is the ruleset I have set up on my WRT54GL with OpenWRT installed, works like a charm and saves any hassle of having to specify a port argument for everything from ssh to scp and git pulls over an ssh connection.

You can define the default ssh port for specific servers in /etc/ssh/ssh_config:

Host myhost.net
    Port 65536

Ricardo Martins ><>< ricardomartins.cc ><>< GPG key: 0x1308F1B4

Offline

#14 2008-08-11 18:30:07

shining
Pacman Developer
Registered: 2006-05-10
Posts: 2,043

Re: Why changing the default port on ssh is a good idea.

meqif wrote:
toofishes wrote:

iptables ftw. This is the ruleset I have set up on my WRT54GL with OpenWRT installed, works like a charm and saves any hassle of having to specify a port argument for everything from ssh to scp and git pulls over an ssh connection.

You can define the default ssh port for specific servers in /etc/ssh/ssh_config:

Host myhost.net
    Port 65536

I think I mentioned that already :
http://bbs.archlinux.org/viewtopic.php? … 31#p397031

Even though it is the user settings rather than system-wide settings, it is still the same tip.


pacman roulette : pacman -S $(pacman -Slq | LANG=C sort -R | head -n $((RANDOM % 10)))

Offline

#15 2008-08-11 18:40:56

meqif
Member
From: Portugal
Registered: 2006-12-16
Posts: 60
Website

Re: Why changing the default port on ssh is a good idea.

@shining: You're right, I didn't notice your post. Sorry for the noise.

Last edited by meqif (2008-08-11 18:41:27)


Ricardo Martins ><>< ricardomartins.cc ><>< GPG key: 0x1308F1B4

Offline

Board footer

Powered by FluxBB