Sure it does. It does make your life more annoying as you have to specify the port every time (and you have to remember it). Some software/firewalls/proxy servers may have trouble with the nonstandard port. If all that is not a problem then go ahead.
Another very nice trick to hide a service is port knocking.
For a while, I put my home ssh server on port 443. It avoided the SSH credential guessing attacks, and still let me use a port that is allowed out by most firewalls.
However, I eventually went back to port 22, for several reasons. It's annoying to specify a port every time. A lot of networks transparently proxy port 443, which can cause problems with non ssl traffic. The login attempts were exclusively from bots trying known credentials, which will not work anyway. They are not a threat, just an annoyance.
Instead, I use the iptables limit feature to allow no more than 6 new TCP connections a second. This is more than enough for my purposes. Root login is disabled and I'm using a sufficiently complex password on my user account that I don't need to worry about brute-force guessing. Not that anyone has ever attempted such a thing on my home server, but now it will take too much time to be feasible.
I still get the login attempts, but they are much fewer now, and are no more than a curiosity in the auth.log file.
Yes, but it would have to be done on every system that I use to access my server. Also, not all systems use the standard openssh unix client, or they may not allow access to the user configuration files. So changing the port is just an annoyance, and it doesn't really accomplish anything. My real account is safe, and having a few failed login attempts for admin and root in my log file doesn't really bother me.
I am not advising against changing the port; it just has no value for me as I currently use SSH.
I wouldn't say better: I'd say that it's another optional layer. Sometimes you cannot do that, where you can change the SSH config for all users to use a different port.
Been in that situation, and now I have a solution to allow me to update the list (which I don't want to discuss here). Basically I open a very small potential hole, but plug the much larger hole of wide open ssh port.
This is hardly surprising considering that most of the unauthorised access attempts your server will see will be automated bots trying port 22 and it is not worth while for the bot to try all other ports.
15 comments
[ 2.8 ms ] story [ 48.7 ms ] threadAnother very nice trick to hide a service is port knocking.
However, I eventually went back to port 22, for several reasons. It's annoying to specify a port every time. A lot of networks transparently proxy port 443, which can cause problems with non ssl traffic. The login attempts were exclusively from bots trying known credentials, which will not work anyway. They are not a threat, just an annoyance.
Instead, I use the iptables limit feature to allow no more than 6 new TCP connections a second. This is more than enough for my purposes. Root login is disabled and I'm using a sufficiently complex password on my user account that I don't need to worry about brute-force guessing. Not that anyone has ever attempted such a thing on my home server, but now it will take too much time to be feasible.
I still get the login attempts, but they are much fewer now, and are no more than a curiosity in the auth.log file.
I am not advising against changing the port; it just has no value for me as I currently use SSH.