The Secure Shell (SSH) protocol by default uses port 22. Accepting this default port does not make your OS installation insecure. But changing this SSH port will do a significant variance in security. It will stop many automated attacks and in fact means a bit harder to guess which port SSH is accessible from.
Why to change SSH port?
The biggest benefit to changing the port is to avoid being seen by casual scans. The vast majority of people hunting for any open ssh servers will look for port 22. Some will try the usual variants, like 222 and 2222, but those are few and far between. I ran an experiment with a virtual machine exposed to the internet which had sshd listening on port 22. The server stayed online for one week and then I changed the ssh port to 222. The number of attacks dropped by 98%. Even though this is solely empirical evidence, it’s clear that moving off the standard ssh port reduces your server’s profile.
If it’s more difficult to scan for your ssh server, your chances of being attacked with an ssh server exploit are reduced. A determined attacker can still find the port if they know your server’s IP address via another means (perhaps via a website you host) and they can launch attacks once they find it. Paranoid server administrators might want to check into port knocking to reduce that probability even further.
SSH port changing step-by-step
A simple, but very effective, step you can take to enhance your server’s security is to update the port SSH uses to a port other than 22 (the default). To do this, login to your VPS as root and follow these steps:
1. Open the SSH config file with the vi editor:
# vi /etc/ssh/sshd_config
2. Press the “A” key to enter editing mode in VI. Search for port number line, at the top of the file:
#Port 22
3. Uncomment this line by removing the first pound symbol in a raw and change the port value to any number of your choosing. I personally like 9110, easy to remember nine-one-one and zero:
Port 9110
4. Press Esc to save and exit, then type :wq (colon-w-q) and press enter to save and exit the file.
5. If you are running a firewall, ensure that the port you selected is open.
6. Restart the SSH service:
In CentOS:
# service sshd restart
In Debian:
# /etc/init.d/ssh restart
You will now access SSH through the new port, like this:
# ssh [email protected] -p 9110
The best practices in server security
Automatic updates
Update the ssh server package and ensure that automatic updates are configured
SSH Keys
Disable password logins for ssh, replacing it with RSA keys. And disabling root logins, choose something much complicated, ex.: ‘zBOij29o9’
AllowUsers
Adjust my AllowUsers setting in sshd_config to only allow my user
Install fail2ban
Fail2Ban is then used to update firewall rules to reject the IP addresses for a specified amount of time, although any arbitrary other action (e.g. sending an email) could also be configured. Out of the box Fail2Ban comes with filters for various services (apache, courier, ssh, etc). Fail2Ban is able to reduce the rate of incorrect authentications attempts however it cannot eliminate the risk that weak authentication presents. Configure services to use only two factor or public/private authentication mechanisms if you really want to protect services.