Operating System - HP-UX
1748028 Members
4953 Online
108757 Solutions
New Discussion

Changing ssh port from the default port to a new one

 
SOLVED
Go to solution
Ray Bell
Regular Advisor

Changing ssh port from the default port to a new one

I want to change ssh port from the default port 22 to another port number so it will make it hard for hackers to get to my server.  I am aware of the following information about ports:

Well Known Ports (0 - 1023) and we can't use

Registered Ports (1024 - 49151)  We should avoid them as well

Dynamic or Private Ports (49152 - 65535)  These are the ports we can use after we made sure they are not in use

 

So is is as simply as finding a port that is not in use and assign it to ssh by viewing sshd_config file and change the port number and restart secsh?   

4 REPLIES 4
Patrick Wallek
Honored Contributor
Solution

Re: Changing ssh port from the default port to a new one

In a nutshell -- Yes.

 

As far as your comments regarding the "well known" and "registered" ports -- I don't know about the statement that they should be avoided.  You can use any port you want as long as it is not already in use on your server.

 

However, running SSH on a port other than 22 is "security through obscurity."  It's effectiveness is questionable.  If someone is doing a targeted attack on SSH they will typically try port 22 first.  However attacks typically start via a port scan to see what ports on a server are open.  Depending on the ports they scan (only the first 1024 vs. all ports) the port you choose will show up in the scan.  It is possible that the purpose of the port would be misidentified initially but if an attacker starts going through all possible attacks they will figure out that it is SSH eventually.

 

The other part of this equation is the location of this server.  Is it visible to the general Internet?  If so, I would not run anything on it other than what is absolutely necessary.  I don't think I would run SSH on an Internet facing server.

 

Ray Bell
Regular Advisor

Re: Changing ssh port from the default port to a new one

So just to be 100% sure is that once I vi "sshd_config" file and change the line #Port 22 and uncommented and add Port xxxx and save the file and restart it I shoud be anle to start using that port for ssh going forward?

Kris_Knigga
Trusted Contributor

Re: Changing ssh port from the default port to a new one


@Ray Bell wrote:

So just to be 100% sure is that once I vi "sshd_config" file and change the line #Port 22 and uncommented and add Port xxxx and save the file and restart it I shoud be anle to start using that port for ssh going forward?



That's correct.

 

However, Patrick's point about "security through obscurity" is very valid.  What this change is most likely to do is annoy people who use ssh legitimately while being only a very minor speed bump to malicious types.  nmap has no problems identifying sshd running on nonstandard ports.


Kris Knigga
codegazer
Occasional Visitor

Re: Changing ssh port from the default port to a new one

Most automated and brute force attacks on ssh probe port 22/tcp.

If you just "move the goal posts" to say 2022/tcp. it will reduce the number of hits.

Of course, a determined attacker will port scan your entire port range 1-65536 and then attempt to identify what services you are running on your active ports.

 

A neat technique to make it harder for the attacker is to use "port knocking".

This means that to access your chosen ssh port (let's say 2022/tcp, you first have to connect (the close) 4 other ports in the right sequence to open access to 2022/tcp.

 

http://en.wikipedia.org/wiki/Port_knocking

 

See also: http://wiki.clug.org.za/wiki/Defending_Against_Brute_Force_SSH_Attacks