Web Hosting Talk : Web Hosting Main Forums : Hosting Security and Technology : Moving SSH back to port 22 but will root be at risk?

[Mac Write]

At present I run SSH on a different port then normal to protect root. This has worked for two years, but with discovering that cPanel finally support SFTP without shell access needed, I want to finally turn off FTP and require SFTP. The problem is the port I am using. Since it's a random port I have been secured against root attacks (well nothing has shown up). I am with LiquidWeb which is fully managed. So I guess they take care of allot of prevention.

This is what I am thinking of doing. move SSH back to port 22 (I only host a few friends sites and want to be hosting 20 accounts by end of year to cover my costs). Then disabled root password and require SSH keys. Would this be strong as secure as running SSH on a high #port or am I fooling myself.

I could also add in for good measure restricting root SSH/SFTP (yes I prefer SFTP for file management as I am legally blind and using Transmit+BBEdit is allot easier for me for editing files). The problem with restricting to certain IP's, is that Shaw charges $30/month more for a static IP and I also am at my moms 25% of the time (and she is also with Shaw). I think the XXXX.vs.shawcable.net is static but I am not 100% sure.

Any other suggestions? I really do want to kill FTP so that only port 80 is the only non SSL port open.

Thanks all

[layer0]

Why not continue to use the custom port with SFTP?

[Mac Write]

Because then everyone has to remember it. True since I have to give out the port #, it does blow the secrecy.

[deadland]

Quote:

Originally Posted by Mac Write

At present I run SSH on a different port then normal to protect root. This has worked for two years, but with discovering that cPanel finally support SFTP without shell access needed, I want to finally turn off FTP and require SFTP. The problem is the port I am using. Since it's a random port I have been secured against root attacks (well nothing has shown up). I am with LiquidWeb which is fully managed. So I guess they take care of allot of prevention.

This is what I am thinking of doing. move SSH back to port 22 (I only host a few friends sites and want to be hosting 20 accounts by end of year to cover my costs). Then disabled root password and require SSH keys. Would this be strong as secure as running SSH on a high #port or am I fooling myself.

I could also add in for good measure restricting root SSH/SFTP (yes I prefer SFTP for file management as I am legally blind and using Transmit+BBEdit is allot easier for me for editing files). The problem with restricting to certain IP's, is that Shaw charges $30/month more for a static IP and I also am at my moms 25% of the time (and she is also with Shaw). I think the XXXX.vs.shawcable.net is static but I am not 100% sure.

Any other suggestions? I really do want to kill FTP so that only port 80 is the only non SSL port open.

Thanks all

First, the best thing to protect your root password, is a strong password, second, since your server is fully managed you dont need to be worried. Changing port to port it wont stop malicious guys to hack into the server, SFTP can handle all file managment that you need. You only can use SSH if you need to configure something manually on the server.

[zacharooni]

Or get PuTTygen, create a key, disable password authentication, but put a password on your key, then just login with the key, and it will block password based login attempts.

[layer0]

Quote:

Originally Posted by Mac Write

Because then everyone has to remember it. True since I have to give out the port #, it does blow the secrecy.

If it's just a few friends of yours that you're hosting, it shouldn't be too bad. If you'd like to avoid lots of automated brute-force attacks, I feel you're better off this way.

As far as remembering it, they shouldn't have to, as it should be saved in their SFTP client.

[twhiting9275]

Quote:

Since it's a random port I have been secured against root attacks (well nothing has shown up).

This provides absolutely no 'security' against root attacks whatsoever. It merely hides an ssh port, and believe me, it's NOT that hard to find out what port you moved it to.

This is known as 'security by obscurity', moving ports, hiding banners (version information, etc), and it never, ever works as well as proper security.

Whomever told you that you were 'secured against root attacks' obviously lied to you.

Now, using keys is a great option, especially if you're going back to port 22. Forcing root to use ssh keys is always best anyways.

[Jeremy]

use port 22, make an su account ie disable direct root login, and firewall port 22 to a few IPs/subnets... seems faster...

[Mac Write]

I thought it was more secure. Also I tried making keys, even without passphrases (as that defeats the purpose of keys according to an article on MacWrite.com) but when I tried using it in Terminal it still asked for a password (with a GUI dialogue box) and with the correct passphrase didn't work.


Here is my ideas

• Move SSH back to port 22
• Require keys for root
• Only allow root from LiquidWeb IP's and (hopefully this will work) my static host names from shaw.

Security wise how is this compared to my current port XX,XXX with root password? Also I use SFTP using transmit (which I can't find a place to enter SSH keys) which launches BBEdit for editing files. This is easier for me due to my vision etc.

[racked_solutions]

You could always bind ssh to a subdomain so you login by going to ssh.yourdomain.com i read it in a tut somewhere on wht.

To be honest just disabling password logins and switching to keys is more than enough.

[Finer - Jack]

I would agree that switching to keys is more than enough for very good protection.

But it really cannot harm to have SSH on another port. If only a few people need access to it.

[derek.bodner]

Quote:

Then disabled root password and require SSH keys. Would this be strong as secure as running SSH on a high #port or am I fooling myself.

It's much stronger than running ssh on a different port.

[Orien]

Running SSH on a different port from 22 only prevents the basic brute force attacks that target port 22. Anyone who really wants to attack your server can easily find out which port SSH is really running on.

Using SSH keys on port 22 should be safe enough.

[RBBOT]

It always makes me laugh when people suggest that the "security through obscurity" of moving your ssh port is of no security value.

It may not add to the protection of attacks specifically targeted at your individual server, but 99% of attacks aren't targetted at specific servers. Were a buffer overflow to be discovered in openssl, it would protect you against the storm of bots that would emerge connecting to port 22 on random IP addresses, so if you have no need to run it on the default port, you should still move it in addition to the other security measures suggested.

[Mac Write]

Would running it on port 22 and restricting root access to XX IP's as well as SSH Keys be safe from the 99% of attacks or would doing those security measures and running it on a separate port be better (or make no difference at all).