[ebbv]

Well, first off, you probably should change your SSH port. Using a non-default one will cause most automated attacks to move on to something else.

Second, using numbers is far more memory/bandwidth efficient than using strings for ports.

Last, there's no good reason to make the massive effort it would take to change it to strings.

[paulie_a]

I would love to to know what success rate those idiotic ssh scanners have. They seem to be braindead in their approach.

[throwvondannen]

Winning the lottery becomes feasible when you fill your tickets out by the truckload. It's quite doable to hit everything with your dictionary and sure enough you'll catch a bunch of boxes with laughable passwords in your dragnet.

These days it's mostly random IoT devices that come with preconfigured ssh service and known passwords.

More interesting might be the fact that there's a strong chance that any successfully hit host is already compromised because you're just one of a myriad people doing this exact thing. In a way it's comparable to overfishing.

edit: If you run a honeypot/net you can watch those scripts poking around to check if a competitor has already left his mark and will then try to remove his access. There's a fast paced arms race going on in that regard.

[ars]

As an experiment I put up an in-memory server at a random IP, with a root password that was in the dictionary.

It was infected within an hour, and by multiple attackers.

It also reminds me about how there was a time when it was impossible to install XP - you needed internet access to get the latest patches, but by the time you downloaded them you were already infected.

So yes, they do work.

[ed312]

Like email scammers they're attacking the lowest hanging fruit - people who don't know better and/or have no other option.

[mr_toad]

Judging by the logs they’re mostly going after low-hanging fruit - Wordpress and similar software with default username and password . They probably get quite a few hits.

[atm0sphere]

I bet the hit rate is some non-zero positive integer.

[Fnoord]

There are other ways to thwart those automated attacks.

[ebbv]

Yes there are, but moving your SSH port is a low cost, very easy and effective way of doing it.

[Fnoord]

You could say that for any service though, yet we still run services on standard ports. Why? Standardization.

Apart from the usual suspects such as rate limiting, only allowing public key authentication, using/enforcing sensible passwords, and/or blacklisting with firewalls (which are also very easy to set up, low cost, effective as well, and objectively better) how about not having a SSH server exposed to the entire world in the first place? Or having only a SSH server exposed, and for the rest nothing? (And even then, it still doesn't make sense someone in China can access your SSH server located behind your DSL or cable router...)

[ebbv]

I’m not talking about your home computer. Obviously your home computer shouldn’t have ssh exposed to the world on any port. I’m talking about a server that needs to have ssh available.

And I would argue while all the options you bring up are good suggestions; 1) they aren’t alternatives to having ssh on a non standard port, they are additional methods and 2) they will do nothing against system level exploits.

If you leave ssh on a standard port, when (not if) an exploit is released you are in a race to patch your system and at a disadvantage. And for what?

Other services are on standard ports for good reasons. There’s not a lot of good reasons to leave ssh on 22. Mostly just laziness.