[Morgawr]

I just learned about remote file editing with vim and scp thanks to this article, it's the only thing I didn't know about and... wow, it's amazing. This will make my life much easier every time I have to remotely edit some config files on my servers.

As for the rest of the article, really nice stuff. Nice tricks for ssh newbies. I wish he also talked about setting up a nonce system with ssh or move sshd to a non-default port to prevent attackers spamming port 22, or even remove password authentication altogether.

[Piskvorrr]

Moving ssh port is, IMNSHO, a stopgap measure; you should have exhausted all the other options (e.g. no passwords, no root login, denyhosts/fail2ban etc.) before this even crosses your mind.

In other words, the inconvenience this brings is not adequate to the infinitesimal increase in security.

[smtddr]

For me I just don't like seeing /var/log/auth.log being filled with 100s of lines of:

  Failed password for root2 from 82.192.86.44 port 44990 ssh2
  Failed password for admin from 82.192.86.44 port 44990 ssh2
  Failed password for sysdb from 82.192.86.44 port 44990 ssh2
  Failed password for scott from 82.192.86.44 port 44990 ssh2

(Yes, that IP has scanned my machine before)

[Piskvorrr]

And that's exactly what denyhosts is for. You'll see this line a few initial times, then the banhammer springs into action.

(It's fully configurable - the number of failed attempts, the length of the autoban, etc.)

[moe]

Unfortunately one attempt is enough when there's a pre-auth vulnerability. Your ban-hammer doesn't help you there.

[throwaway2048]

until one of the millions of other compromised IPs begins hammering your machine minutes later..

[Moru]

That's the whole point. The ban-hammer in this case is automatic and will ban that one too after five attempts or whatever.

[moe]

You're missing the point. One attempt is enough when there's a pre-auth exploit.

[throwaway2048]

it still doesn't prevent your logs getting filled up with crap is my point.

[pwg]

There is also ssh-faker: http://www.pkts.ca/ssh-faker.shtml

Which would prevent even that first password failure attempt from occurring.

[supergauntlet]

Sending a password over telnet seems like a bad idea..

[Morgawr]

True, but still, moving the port away from the default is always a good and effortless thing to do. Or at least making people aware of it.

[Piskvorrr]

Good...perhaps, iff you're aware that this is a cosmetic issue (less spam in the logs), rather than actual security (and that ports 222, 2222 and 22222 get just as much spam as 22).

Effortless...except you need to configure every client to use the non-default port. How much effort is that? IDK, depends on your use case.

That said, I consider it harmless; which is to say, the benefits and drawbacks are just about equal, IMNSHO.

[wilmoore]

> Effortless...except you need to configure every client to use the non-default port

I've never seen this as extra effort given I'm already in the ~/.ssh/config file adding an "IdentityFile" line anyway? The only time you wouldn't is if you are using the same (default) private key for every configured connection. I will faithfully assume that no-one is advocating for that :)

[moe]

In other words, the inconvenience this brings is not adequate to the infinitesimal increase in security.

You are wrong. Please refrain from giving security advice.

Changing or filtering the SSH port prevents your host from being compromised by automated netrange sweeps in the event of a pre-auth ssh vulnerability. For this reason changing the SSH port is considered best practice.

[JoeAltmaier]

Since port numbers are a very tiny space, that would amount to an infinitesimal increase in security, right? Essentially, 'hiding' the port is 'security through obscurity' which is a thoroughly discredited idea.

[michaelmior]

This is assuming that someone is specifically targeting your machine. In which case yes, changing the port number probably won't do much. But if someone is just hammering random servers on port 22, changing the port number is much more likely to be effective.

[moe]

You misunderstand.

Changing the port does nothing against targeted attacks and it's not about 'hiding' anything. The purpose is to take your host out of the scope of automatic scans which almost exclusively focus on the most common ports (22, 2222, 22222 ...).

[Piskvorrr]

Okay, a pre-auth vulnerability is a plausible option I didn't consider; you are right.