Should I change the SSH port to < 1024? [duplicate]
You have different options. Each has drawbacks. So which drawback do you prefer?
- Use port 22: You'll get lots of log entries from bots scanning for easy passwords. You can protect against compromises that way by only using public key authentication. But the log entries will still be there.
- Some other port less than 1024: It will likely have been officially reserved for some other protocol, that can cause conflicts in case you'll ever use that protocol. There may be bots scanning for that other service, so you'll still see strange log entries show up occasionally.
- Use port number 1024 or more: Local users can cause a DoS attack by listening on that port. They'll have to start listening while
sshd
is down, so there is a window of opportunity whensshd
is being restarted.
If you otherwise keep your sshd
secure, it seems you get the choice between getting logs flooded by remote hosts or DoS possibility for local users. The log entries could be mitigated through some sort of automatic blocking, which unfortunately open you up to potentially a different kind of DoS attack.
Well, you could change the port from 22 to something different, yes. But that's nothing a port scan won't show in the end.
If you are concerned about security and SSH, disable password only authentication at all. Also turn on a monitor log scanner, like fail2ban, configured to ban malicious hosts who run their scans on your site.
And if you are even more concerned about security, then there's one thing where changing the port makes sense: change it to something uncommon and implement port knocking!
Changing the port only does not do much at all, changing the port with active port knocking is a wholly different kind of matter!
Ports below 1024 are reserved for daemons and services that use CAP_NET_BIND_SERVICE by the Kernel, one of them is SSH.
In fact, changing the ssh port is not much of a security improvement, as a scan will still find open ports. You will have less log entries caused by attacks trying default passwords or password tables on the default ports of random hosts but if you setup your ssh right these shouldn't be a problem.
The problem is that connecting to your server from an environment where outgoing traffic is being restricted to standard ports you will have a problem. For me, keeping SSH on the default port is best practice but I guess there are some people willing to discuss that matter.
I don't see any security advantage to changing SSH to a non-standard port. There's shouldn't be any conflict in staying on port 22, since that port is reserved for SSH. And if the security of your SSH server depends on it running on a non-standard port, you're not doing your job.
I have to partially disagree with the other answers because changing the port does not necessarily protect you against an actual targeted attack (in case which someone would be able to just scan all the ports and find the SSH one), but it does protect you against botnets that do bruteforce over random or selected hosts with dictionaries. And even in this case, I assume that every decent technical person will know to make sure that the passwords are strong enough, not to mention that newer installations of software actually do require you to have strong passwords. What I think that it protects you against are distributed denial of service attacks that could really get your server slow, fill the logs with crap and so on. While fail2ban & co. could do a nice job against a single host doing this, they are pretty ineffective against a really big botnet.
On the other side, I see no reason why you would leave your SSH port open to the Internet, unless you run something like a web host that provides SSH access or something. Otherwise, you should only allow very specific IPs that you trust to connect to SSH, this is THE BEST practice. Not port knocking, not changing the port, not fail2ban.
So, if you ask me, there are 2 options:
- You have a specific need to let SSH open for the Internet. In this case you would change the SSH port AND install fail2ban (maybe even set accounts to lock after X failed password attempts).
- You close SSH and whitelist only certain IPs.
EDIT:
Forgot about the over 1024 and under 1024 thing. Many firewalls indeed have specific rules that could make using a port under 1024 to have more sense. For example there are firewalls that deny connections incoming on ports higher than 1024 (so that you really need to have a service started with root or the required Kernel capabilities that listens to a port and not some exploit), other firewalls are giving more priorities to lower ports so that the system services can benefit of this etc.