Email or username:

Password:

Forgot your password?
Andrew's posts Post Back to profile
Andrew Tropin

Do you use ssh on standard or non-standard port?

I deployed two machines with sshd on 22 port and already a bit tired of bots knocking into it.

#ssh #Linux #bsd #freebsd #openbsd #gnu

Anonymous poll

Poll

22
64
49.2%
Non-standard port
56
43.1%
Do some other cool trick
10
7.7%
130 people voted.
Voting ended 25 October at 7:12.
22 October at 7:12 | Open on fosstodon.org
10 comments
Thomas

@abcdw I use port 22 with password login disabled and fail2ban, and that keeps the amount of knocks down pretty low. I do keep thinking about moving it to some odd high port though

22 October at 7:15 | Open on functional.cafe
Andrew Tropin

@tfb on my personal VPSes I use non-standard port and have it written in my ssh config, so I just type ssh hostname and it works, but I didn't thought about best ssh practices for years. Curious, what is a good way to deal with it nowadays.

22 October at 7:22 | Open on fosstodon.org
dexternemrod

@abcdw

@tfb

Same here.
In addition I use fail2ban/only allow login via ssh-key and disabled root login.
There is nearly no traffic on this port.
Checking the failed login attempts on port 22 (needs to be the ssh-port for this afaik) is quite interesting and gives a nice overview for used usernames, which then can be avoided.

22 October at 11:13 | Open on troet.cafe
CollateralDamage

@abcdw Why not put it behind something like Wireguard?
Personally, I use a VPN (an actual one, not a tunnel) to connect my machines. SSH doesn't even go on the public internet anymore.

22 October at 7:17 | Open on social.linux.pizza
MightyPirate™ 🏴‍☠️

@abcdw 22 equals to a selfhosted honeypot. The first thing you do is change the port, then redo all server keys and deny the use of outdated protocols via conf. Then create an ed25519 private key, password protected, and ssh is set up

22 October at 7:20 | Open on social.vivaldi.net
Marcos Dione

@abcdw I use `sslh` to share 443 between ssh, https and, when I had it on, openvpn. It has support for a couple more protocols.

22 October at 7:48 | Open on en.osm.town
dok

@abcdw on 22 unless not available, but in both case you will get bots trying to login. At first i used fail2ban but now i only accept connection with an sshkey

22 October at 7:57 | Open on rivals.space
ikt 🇺🇦

@abcdw just 22 with fail2ban

also have it set to increase in ban time every failed attempt

# initial ban time:
bantime = 1h
# incremental banning:
bantime.increment = true
# default factor (causes increment to double bantime):
bantime.factor = 1
# max banning time = 8 week:
bantime.maxtime = 8w

22 October at 8:15 | Open on fosstodon.org
Pascal

@abcdw why should I change the standard port? This brings no enhanced security, it only makes me forget my own server config 😀

Trust the math

22 October at 12:06 | Open on sueden.social
abbe

@abcdw with sshguard enabled, that adds the failed login sources to an nftables ipset, or a pf table

24 October at 8:08 | Open on bookwor.ms
Go Up