Results 1 to 20 of 20
  1. #1

    Moving SSH back to port 22 but will root be at risk?

    At present I run SSH on a different port then normal to protect root. This has worked for two years, but with discovering that cPanel finally support SFTP without shell access needed, I want to finally turn off FTP and require SFTP. The problem is the port I am using. Since it's a random port I have been secured against root attacks (well nothing has shown up). I am with LiquidWeb which is fully managed. So I guess they take care of allot of prevention.

    This is what I am thinking of doing. move SSH back to port 22 (I only host a few friends sites and want to be hosting 20 accounts by end of year to cover my costs). Then disabled root password and require SSH keys. Would this be strong as secure as running SSH on a high #port or am I fooling myself.

    I could also add in for good measure restricting root SSH/SFTP (yes I prefer SFTP for file management as I am legally blind and using Transmit+BBEdit is allot easier for me for editing files). The problem with restricting to certain IP's, is that Shaw charges $30/month more for a static IP and I also am at my moms 25% of the time (and she is also with Shaw). I think the XXXX.vs.shawcable.net is static but I am not 100% sure.

    Any other suggestions? I really do want to kill FTP so that only port 80 is the only non SSL port open.

    Thanks all

  2. #2
    Join Date
    Dec 2004
    Location
    New York, NY
    Posts
    10,574
    Why not continue to use the custom port with SFTP?

  3. #3
    Because then everyone has to remember it. True since I have to give out the port #, it does blow the secrecy.

  4. #4
    Quote Originally Posted by Mac Write View Post
    At present I run SSH on a different port then normal to protect root. This has worked for two years, but with discovering that cPanel finally support SFTP without shell access needed, I want to finally turn off FTP and require SFTP. The problem is the port I am using. Since it's a random port I have been secured against root attacks (well nothing has shown up). I am with LiquidWeb which is fully managed. So I guess they take care of allot of prevention.

    This is what I am thinking of doing. move SSH back to port 22 (I only host a few friends sites and want to be hosting 20 accounts by end of year to cover my costs). Then disabled root password and require SSH keys. Would this be strong as secure as running SSH on a high #port or am I fooling myself.

    I could also add in for good measure restricting root SSH/SFTP (yes I prefer SFTP for file management as I am legally blind and using Transmit+BBEdit is allot easier for me for editing files). The problem with restricting to certain IP's, is that Shaw charges $30/month more for a static IP and I also am at my moms 25% of the time (and she is also with Shaw). I think the XXXX.vs.shawcable.net is static but I am not 100% sure.

    Any other suggestions? I really do want to kill FTP so that only port 80 is the only non SSL port open.

    Thanks all
    First, the best thing to protect your root password, is a strong password, second, since your server is fully managed you dont need to be worried. Changing port to port it wont stop malicious guys to hack into the server, SFTP can handle all file managment that you need. You only can use SSH if you need to configure something manually on the server.

  5. #5
    Join Date
    Apr 2005
    Posts
    1,711
    Or get PuTTygen, create a key, disable password authentication, but put a password on your key, then just login with the key, and it will block password based login attempts.

  6. #6
    Join Date
    Dec 2004
    Location
    New York, NY
    Posts
    10,574
    Quote Originally Posted by Mac Write View Post
    Because then everyone has to remember it. True since I have to give out the port #, it does blow the secrecy.
    If it's just a few friends of yours that you're hosting, it shouldn't be too bad. If you'd like to avoid lots of automated brute-force attacks, I feel you're better off this way.

    As far as remembering it, they shouldn't have to, as it should be saved in their SFTP client.

  7. #7
    Join Date
    Sep 2002
    Location
    Top Secret
    Posts
    11,686
    Since it's a random port I have been secured against root attacks (well nothing has shown up).
    This provides absolutely no 'security' against root attacks whatsoever. It merely hides an ssh port, and believe me, it's NOT that hard to find out what port you moved it to.

    This is known as 'security by obscurity', moving ports, hiding banners (version information, etc), and it never, ever works as well as proper security.

    Whomever told you that you were 'secured against root attacks' obviously lied to you.

    Now, using keys is a great option, especially if you're going back to port 22. Forcing root to use ssh keys is always best anyways.
    WHMCS Guru - WHMCS addons, management, support and more.
    WHMCS Notifications Extended - Add slack, hipchat, SMS, pushover to WHMCS !!
    Always looking for Linux, WHMCS, Support Desk work. PM for details

  8. #8
    Join Date
    Feb 2003
    Location
    North Hollywood, CA
    Posts
    2,554
    use port 22, make an su account ie disable direct root login, and firewall port 22 to a few IPs/subnets... seems faster...
    Remote Hands and Your Local Tech for the Los Angeles area.

    (310) 573-8050 - LinkedIn

  9. #9
    I thought it was more secure. Also I tried making keys, even without passphrases (as that defeats the purpose of keys according to an article on MacWrite.com) but when I tried using it in Terminal it still asked for a password (with a GUI dialogue box) and with the correct passphrase didn't work.


    Here is my ideas

    • Move SSH back to port 22
    • Require keys for root
    • Only allow root from LiquidWeb IP's and (hopefully this will work) my static host names from shaw.

    Security wise how is this compared to my current port XX,XXX with root password? Also I use SFTP using transmit (which I can't find a place to enter SSH keys) which launches BBEdit for editing files. This is easier for me due to my vision etc.

  10. #10
    Join Date
    Apr 2008
    Location
    Bury St Edmunds
    Posts
    158
    You could always bind ssh to a subdomain so you login by going to ssh.yourdomain.com i read it in a tut somewhere on wht.

    To be honest just disabling password logins and switching to keys is more than enough.

  11. #11
    Join Date
    May 2007
    Location
    London, UK
    Posts
    53
    I would agree that switching to keys is more than enough for very good protection.

    But it really cannot harm to have SSH on another port. If only a few people need access to it.

  12. #12
    Join Date
    Nov 2001
    Location
    Philadelphia, Pa
    Posts
    949
    Then disabled root password and require SSH keys. Would this be strong as secure as running SSH on a high #port or am I fooling myself.
    It's much stronger than running ssh on a different port.

  13. #13
    Join Date
    May 2006
    Location
    San Francisco
    Posts
    7,200
    Running SSH on a different port from 22 only prevents the basic brute force attacks that target port 22. Anyone who really wants to attack your server can easily find out which port SSH is really running on.

    Using SSH keys on port 22 should be safe enough.

  14. #14
    Join Date
    Dec 2006
    Posts
    477
    It always makes me laugh when people suggest that the "security through obscurity" of moving your ssh port is of no security value.

    It may not add to the protection of attacks specifically targeted at your individual server, but 99% of attacks aren't targetted at specific servers. Were a buffer overflow to be discovered in openssl, it would protect you against the storm of bots that would emerge connecting to port 22 on random IP addresses, so if you have no need to run it on the default port, you should still move it in addition to the other security measures suggested.

  15. #15
    Would running it on port 22 and restricting root access to XX IP's as well as SSH Keys be safe from the 99% of attacks or would doing those security measures and running it on a separate port be better (or make no difference at all).

  16. #16
    Join Date
    Jul 2006
    Posts
    285
    Moving the port doesn't help much. NMAP scans will find it quite easily.

  17. #17
    Join Date
    Dec 2001
    Location
    Netherlands
    Posts
    780
    If you use strong passwords, then running ssh on port 22 is not a security risk. The risk is people/scripts attempting to login at your server, sometimes thousands of login attempts per day from hundreds of ips, and another risk is DDOS to bring your sshd down.
    Experienced OpenStack Admin For Hire
    regular as admin0 on freenode IRC on #openstack and #openstack-ansible channels

  18. #18
    The password is strong or will be stronger. I guess I am worried about is traffic. will hits on the server increase, or will they be the same as now which shows no port 22?

  19. #19
    Its a little safer to keep the port something other than 22. From my experience I have seen 22 get more hits and once i changed the port, the hits didn't stop but have decreased quite a lot.

  20. #20
    Join Date
    Sep 2003
    Location
    Earth!
    Posts
    55
    Moving the port SSH runs on is what I call "Cargo Cult Security". It has zero utility as far as improving overall security posture on your system.

    If you are using strong authentication, like key auth, this is no threat and in fact can be turned to your advantage. By using tools like denyhosts or fail2ban you can detect brute force attempts from malicious sources that are likely doing the exact same thing to your web applications (you dont move your web ports do you?).
    Secure your server now: Atomic Secured Linux
    Troubleshooting Linux Firewalls in stores today

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •