Should I change the SSH port to < 1024? [duplicate]

ssh security linux

You have different options. Each has drawbacks. So which drawback do you prefer?

  • Use port 22: You'll get lots of log entries from bots scanning for easy passwords. You can protect against compromises that way by only using public key authentication. But the log entries will still be there.
  • Some other port less than 1024: It will likely have been officially reserved for some other protocol, that can cause conflicts in case you'll ever use that protocol. There may be bots scanning for that other service, so you'll still see strange log entries show up occasionally.
  • Use port number 1024 or more: Local users can cause a DoS attack by listening on that port. They'll have to start listening while sshd is down, so there is a window of opportunity when sshd is being restarted.

If you otherwise keep your sshd secure, it seems you get the choice between getting logs flooded by remote hosts or DoS possibility for local users. The log entries could be mitigated through some sort of automatic blocking, which unfortunately open you up to potentially a different kind of DoS attack.


Well, you could change the port from 22 to something different, yes. But that's nothing a port scan won't show in the end.

If you are concerned about security and SSH, disable password only authentication at all. Also turn on a monitor log scanner, like fail2ban, configured to ban malicious hosts who run their scans on your site.

And if you are even more concerned about security, then there's one thing where changing the port makes sense: change it to something uncommon and implement port knocking!

Changing the port only does not do much at all, changing the port with active port knocking is a wholly different kind of matter!


Ports below 1024 are reserved for daemons and services that use CAP_NET_BIND_SERVICE by the Kernel, one of them is SSH.

In fact, changing the ssh port is not much of a security improvement, as a scan will still find open ports. You will have less log entries caused by attacks trying default passwords or password tables on the default ports of random hosts but if you setup your ssh right these shouldn't be a problem.

The problem is that connecting to your server from an environment where outgoing traffic is being restricted to standard ports you will have a problem. For me, keeping SSH on the default port is best practice but I guess there are some people willing to discuss that matter.


I don't see any security advantage to changing SSH to a non-standard port. There's shouldn't be any conflict in staying on port 22, since that port is reserved for SSH. And if the security of your SSH server depends on it running on a non-standard port, you're not doing your job.


I have to partially disagree with the other answers because changing the port does not necessarily protect you against an actual targeted attack (in case which someone would be able to just scan all the ports and find the SSH one), but it does protect you against botnets that do bruteforce over random or selected hosts with dictionaries. And even in this case, I assume that every decent technical person will know to make sure that the passwords are strong enough, not to mention that newer installations of software actually do require you to have strong passwords. What I think that it protects you against are distributed denial of service attacks that could really get your server slow, fill the logs with crap and so on. While fail2ban & co. could do a nice job against a single host doing this, they are pretty ineffective against a really big botnet.

On the other side, I see no reason why you would leave your SSH port open to the Internet, unless you run something like a web host that provides SSH access or something. Otherwise, you should only allow very specific IPs that you trust to connect to SSH, this is THE BEST practice. Not port knocking, not changing the port, not fail2ban.

So, if you ask me, there are 2 options:

  1. You have a specific need to let SSH open for the Internet. In this case you would change the SSH port AND install fail2ban (maybe even set accounts to lock after X failed password attempts).
  2. You close SSH and whitelist only certain IPs.

EDIT:

Forgot about the over 1024 and under 1024 thing. Many firewalls indeed have specific rules that could make using a port under 1024 to have more sense. For example there are firewalls that deny connections incoming on ports higher than 1024 (so that you really need to have a service started with root or the required Kernel capabilities that listens to a port and not some exploit), other firewalls are giving more priorities to lower ports so that the system services can benefit of this etc.

Related

Why do I have to manually copy /etc/services and /etc/resolv.conf into /var/spool/postfix/etc?
What DNS server should I use to receive AWS internal addresses for my nginx resolver?
Postfix error, SASL authentication failed; cannot authenticate to server, no mechanism available
What are some cool or useful server/networking tricks? [closed]
Practical SAN Question
TCP connection handshake
DNS configuration own server... where to point mx records?
Where to safely store source code?
Persistent static ARP entries on Windows, is it possible?
How to stop SSH from falling back to password?
Most effective way to change Linux command prompt for all users?
ZFS on OpenSolaris or FreeBSD