Port 22 SSH carry or not

 3r376. 3r3-31. Stumbled upon a three-month-old discussion of r3r357. , the need to transfer the SSH port. A lot of participants in the discussion are convinced that there is no need to transfer the port to a non-standard port.
 3r376.
 3r376. It is enough to switch to key authorization and deliver Fail2ban and this will already be a guarantee of security. Unfortunately, we live in the real and the world, which is constantly changing and the proposed security measures are no longer always sufficient.
 3r376.

 3r376. Let's take a look - key authorization has left two relatively secure ssh keys: RSA-4096 and ED2551? DSA keys are no longer included in recent versions of OpenSSH. It should take into account the presence on the Internet of some doubts about the reliability of ED2551? Google to help, if you are interested.
 3r376.
 3r376. In addition to keys, a sufficiently long code phrase is recommended for your keys from random characters in different case and numbers, at a minimum.
 3r376.
 3r376. Brute force attacks - let's briefly see what happens if your host is attacked purposefully.
 3r376.
 3r376. 3r3334. Stage 1 - collecting information about the host, including the open ports 3r-335.
 3r376. This collection of information is not always reflected in your logs, for example, port scanning can go without a connection. Fail2ban is useless here, it works only on the records in the logs. At the first stage, the installed protection systems can also be monitored. For example, the number of authorization attempts before a block is determined, the blocking time.
 3r376.
 3r376. 3r3334. Stage 2 - attempts to gain access to the system through hacking SSH
 3r376. For hacking, botnets with thousands of addresses are used and scanning in a simple case goes to bypass the default Fail2ban settings from hundreds and thousands of addresses, with a serious scan taking into account the settings of the victim protection system. Fail2Ban is also useless here, especially if SSH is on port 22 and the Fail2Ban settings are defaulted.
 3r376.
 3r376. I have all the ports closed on the outer perimeter of one of the servers, but in a couple of days up to several thousand hosts are dialing up that are trying to establish a connection to the standard ports. Moreover, the scan is taking into account the possible protection, packets from one address go, as a rule, with an interval of several minutes.
 3r376.
 3r376. Of course, Fail2ban can be effective to protect some other services with non-standard settings for your hosts and services.
 3r376.
 3r376. For some reason, it always seems that the second stage is the most dangerous, in fact, at the first stage, possible vulnerabilities on the host are looked for; they can be much more dangerous than a simple Brute force SSH. Why break SSH when there is an open door with a vulnerability nearby.
 3r376.
 3r376. Regarding the change of the standard port, there is a fresh overview of 3r3356. BestPractic Security SSH
, there the change of the standard port costs 8 points, authorization by keys is the first item and the installation of Fail2ban or analogs is 10 points. Top 20 OpenSSH Server Best Security Practices .
 3r376.
 3r376. Switching the SSH port to non-standard allows you to use standard ports as a trap to track scanning attempts, and block the received IP addresses for a long time and on all ports, this is item 1? in the BestPractic article. Naturally, you need to specify white addresses in order not to get a random blocking - these are 7 and 8 points in the BestPractic article.
 3r376.
 3r376. In this way, we increase the cost of collecting information about our system. Information on open ports will cost several thousand IP addresses or months to scan our system. If my SSH port is unknown to a potential hacker, even if a vulnerability appears, it will not be able to use it.
3r376. 3r376.
3r376.
3r376. 3r376. 3r376. 3r376.
+ 0 -

Add comment