
Changing Your SSH Port Does Lower Your Risk - danielrm26
http://danielmiessler.com/blog/security-and-obscurity-does-changing-your-ssh-port-lower-your-risk
======
DoubleCluster
Sure it does. It does make your life more annoying as you have to specify the
port every time (and you have to remember it). Some software/firewalls/proxy
servers may have trouble with the nonstandard port. If all that is not a
problem then go ahead.

Another very nice trick to hide a service is port knocking.

~~~
ArbitraryCrow
For a while, I put my home ssh server on port 443. It avoided the SSH
credential guessing attacks, and still let me use a port that is allowed out
by most firewalls.

However, I eventually went back to port 22, for several reasons. It's annoying
to specify a port every time. A lot of networks transparently proxy port 443,
which can cause problems with non ssl traffic. The login attempts were
exclusively from bots trying known credentials, which will not work anyway.
They are not a threat, just an annoyance.

Instead, I use the iptables limit feature to allow no more than 6 new TCP
connections a second. This is more than enough for my purposes. Root login is
disabled and I'm using a sufficiently complex password on my user account that
I don't need to worry about brute-force guessing. Not that anyone has ever
attempted such a thing on my home server, but now it will take too much time
to be feasible.

I still get the login attempts, but they are much fewer now, and are no more
than a curiosity in the auth.log file.

~~~
danielrm26
Keep in mind that you can just set the port in your SSH config and you won't
have to set it every time.

~~~
ArbitraryCrow
Yes, but it would have to be done on every system that I use to access my
server. Also, not all systems use the standard openssh unix client, or they
may not allow access to the user configuration files. So changing the port is
just an annoyance, and it doesn't really accomplish anything. My real account
is safe, and having a few failed login attempts for admin and root in my log
file doesn't really bother me.

I am not advising against changing the port; it just has no value for me as I
currently use SSH.

------
16s
That's why tanks are painted camo. It works.

------
cpncrunch
Better to only permit logins from specific IPs.

~~~
astrodust
Better until you need to log in from a place that's not on that exclusive
list. Then way worse.

~~~
cpncrunch
Been in that situation, and now I have a solution to allow me to update the
list (which I don't want to discuss here). Basically I open a very small
potential hole, but plug the much larger hole of wide open ssh port.

------
jamescun
This is hardly surprising considering that most of the unauthorised access
attempts your server will see will be automated bots trying port 22 and it is
not worth while for the bot to try all other ports.

~~~
danielrm26
That's exactly the point, isn't it?

