Hacker News new | ask | show | jobs
by klaushardt 901 days ago
* changing your SSH port means that you'll have to do a bunch of fuckery to get basic functionality working. you will very likely waste hours of your life. you will have to google "rsync ssh non standard port" every time you want to use rsync. you will have to remember scp flags. this is also bad. probably worse.

---

I dont need to remember non standard ports if i just use my .ssh/config.

    Host myhost.tld
      Hostname 127.0.0.1
      Port 333
      User MyUser
      IdentityFile ~/.ssh/myhost.tld
6 comments
bshipp 901 days ago
I was brand new to managing an Ubuntu Hetzner server and the moment I saw how many port 22 scans the server received i decided to try changing the port number, followed by key-only passwordless logins. My logs immediately shrank in size. I have never once had an issue having moved to non standard ports and, moreso, feel almost naked logging into port 22.

I know security through obscurity is not an answer, but judging by the reduction in port scanning i've seen after moving as many standard ports as possible to new addresses above 20000 I have to believe its a reasonable first step. How many script kiddies are scanning all 65500 ports for each IP address?

link
fbdab103 901 days ago
I feel similarly. Switching ports is no real defense, but it at least means you are eliminating the drive-by attacks who are only interested in the trivially exploited. Such a simple thing to do and sharply reduces the log volume.

The next trick I think of implementing is port knocking. Should drop log noise to zero unless someone starts targeting me specifically. In which case, my goose is already cooked.

link
yjftsjthsd-h 901 days ago
> The next trick I think of implementing is port knocking.

If you're at that point, I would suggest putting it behind wireguard.

link
sureglymop 901 days ago
If it's not some sort of proxy/firewall remapping the port, you probably shouldn't use a port above 1000 for some services.

Consider this: an attacker (somehow) managed to get user access to your server. They can now dos the service until it crashes and then start their own service listening on that same port, maybe impersonating your service. Maybe they can use that to grab sensitive information or do something else.

link
pepa65 900 days ago
If that is your worry, use net.ipv4.ip_local_reserved_ports
link
bshipp 900 days ago
Indeed, although because I heavily utilized Docker I also ended up using UFW-Docker. It was fairly straightforward to incorporate into my startup scripts.

https://github.com/chaifeng/ufw-docker

link
oliwarner 900 days ago
Right! It's dead simple.

Normally I might put a title like this down to opinion but here, the author suffers not knowing enough about the subject to justify having an opinion, let alone publish one.

Fail2ban is a stupidly easy way to block lazy hacking scripts. It's easy to extend to handle simple honeypot services. It's no replacement for real security but it makes focussing easier.

link
thelittleone 901 days ago
Another solution is tailscale. Disable all admin ports (including ssh) on public IP.
link
lxgr 900 days ago
This works fine until you find yourself in a shitty public Wi-Fi that blocks outgoing traffic to "non-essential ports".

But then again, SSH is often not considered essential and you need a VPN or other tunnel on TCP/443 anyway...

link
theatomheart 900 days ago
THIS. I use non standard port for SSH by default and my single SSH config file manages this for me with no extra effort. Seems like a common sense behavior to me.
link
raverbashing 901 days ago
Yeah, come on, saying that using SSH is hard in a different port is facetious

Worse case Google the commands and run them

link
lxgr 900 days ago
Sure, if you use only the OpenSSH client and other software respecting its command line option paradigms or configuration files. But there's tons of other things connecting to SSH.

And even only in the OpenSSH universe, I find it quite annoying having to remember whether the `-p` can go after the hostname or has to appear before, whether SCP uses `-p` or `-P`, whether `ssh-copy-id` supports one or the other etc.

There are some protocols I wouldn't necessarily run on their default port and publicly accessible, but SSH is really not one of them, also given that sshd has been specifically hardened for that adversarial use case.

link
klaushardt 900 days ago
You can rsync, scp and what not using your .ssh/config alias.

    scp myfile.txt myhost.tld:~/foo
link