Changing the SSH Server port number
After installing the SSH Server, the first thing we recommend is to change the port number on which the SSH Server will accept connections.
Changing the port number is not strictly necessary. Many of our users run the SSH Server on the default SSH port, 22.
We recommend configuring the SSH Server to use a random port number between 1024 and 65535. In this case:
- Clients will need to enter slightly more information to connect. The port number will need to be entered.
- Most drive-by password guessing attempts will be avoided. You will see many fewer pop-ups and log messages about these anonymous attempts.
- Avoiding drive-by password guessing will make it easier to notice any other aberrant behavior, which might otherwise hide in the noise.
It is still a good idea to apply security features outlined in Hardening the SSH Server configuration.
You can change the port number where the SSH Server receives connections using Easy SSH Server settings:
You can can also change the port number in Advanced SSH Server settings:
Advanced settings allows configuring multiple ports, and also allows enabling obfuscation. Obfuscation is an advanced measure that makes it less obvious that the protocol being used is SSH. However, it permits connections only from clients that also support it.
In Advanced settings, port numbers are configured separately for IPv4 and IPv6.
Using the default SSH port
If you prefer to expose the SSH Server to the internet on the default port, 22:
It will be slightly easier for clients to connect - it won't be necessary for clients to enter a port number.
Some clients may have unwise security restrictions allowing outbound SSH connections only on port 22.
However:
There will be drive-by attempts to guess a password for the SSH Server.
The SSH Server will display pop-ups and log messages about these attempts.
The SSH Server contains functionality, enabled by default, to thwart password guessing by applying delays and automatic lockouts.
The SSH Server does not permit login without a password, and your accounts are safe unless one has a password that's easy to guess.
But users do frequently pick passwords that are easy to guess.
To defend against password guessing in depth, apply security measures in Hardening the SSH Server configuration.
No comments:
Post a Comment