SSH, Avoiding Default Port

[MoeT-collab]

On the SSH server config, it is always a good practice to change the TCP port value from 22 to a random one (example 6222).
This will help avoid bad actors randomly scanning for open default ports.

Then the new SSH port should be allowed in through UFW.

[imthenachoman]

If they scan for open ports they will still find it open. I don't know how much value there is in hiding the port. Something like a port knocker might help.

[iyesin]

@imthenachoman,
As person, operating 100s of servers in production, I would say, that switching default ssh port from 22 to something high-port (1024+) have huge impact. The frequency of password-bruteforcing-attempts (all unsuccessful due to disabled password auth) drops from tens-per-second to singles per minute.
Port-knocking or web-knocking reducing this numbers to zero, of course.

[initiateit]

@iyesin If you specify a port below 1024 you prevent unprivileged processes from binding to it and impersonating it.

[sbrl]

@iyesin: Indeed - but it's worth noting that things like moving the ssh port is perhaps best presented as a way to reduce computational load and annoying messages /var/log/auth.log, rather than a real security measure.

[hellresistor]

I can sure, with own exp, using ssh default port (22), on some VPS's you will automatic get bots bruteforcing the 22 port .... Same way if you want use default port. disable passwords authentication and set a ssh keyfile ;)

https://gist.github.com/hellresistor/108d965b32a907558ed101e9a0f4326c