[bshipp]

I was brand new to managing an Ubuntu Hetzner server and the moment I saw how many port 22 scans the server received i decided to try changing the port number, followed by key-only passwordless logins. My logs immediately shrank in size. I have never once had an issue having moved to non standard ports and, moreso, feel almost naked logging into port 22.

I know security through obscurity is not an answer, but judging by the reduction in port scanning i've seen after moving as many standard ports as possible to new addresses above 20000 I have to believe its a reasonable first step. How many script kiddies are scanning all 65500 ports for each IP address?

[fbdab103]

I feel similarly. Switching ports is no real defense, but it at least means you are eliminating the drive-by attacks who are only interested in the trivially exploited. Such a simple thing to do and sharply reduces the log volume.

The next trick I think of implementing is port knocking. Should drop log noise to zero unless someone starts targeting me specifically. In which case, my goose is already cooked.

[yjftsjthsd-h]

> The next trick I think of implementing is port knocking.

If you're at that point, I would suggest putting it behind wireguard.

[sureglymop]

If it's not some sort of proxy/firewall remapping the port, you probably shouldn't use a port above 1000 for some services.

Consider this: an attacker (somehow) managed to get user access to your server. They can now dos the service until it crashes and then start their own service listening on that same port, maybe impersonating your service. Maybe they can use that to grab sensitive information or do something else.

[pepa65]

If that is your worry, use net.ipv4.ip_local_reserved_ports

[bshipp]

Indeed, although because I heavily utilized Docker I also ended up using UFW-Docker. It was fairly straightforward to incorporate into my startup scripts.

https://github.com/chaifeng/ufw-docker