[SOLVED] Is it "safe" to change the SSH port?

[Razva]

I'm reading older threads here and they mostly state that changing the default SSH port is not really "ok-ish".

Is it still the case? If not, is it "safe" to just change the port in sshd_config and call it a day, or there are extra actions required?

 

[oguz]

hi,

proxmox needs ssh port 22 for the cluster, so it's not recommended to change it since things might not work

why do you want to change the ssh port? if for "security", you're better off installing fail2ban

 

[jrshaw]

hi,

proxmox needs ssh port 22 for the cluster, so it's not recommended to change it since things might not work

why do you want to change the ssh port? if for "security", you're better off installing fail2ban

If your running a Cluster, couldn't you change the port the cluster runs on to? To what ever custom port you set?

 

[oguz]

you can make it work, but you will always have to keep that in mind when adding/deleting new nodes to the cluster or similar. in my experience it adds too much overhead and makes it easier to unintentionally break something.

if you really want to do it, you can change the default port for both the client and the server (for every node) such that the regular ssh commands still work without user interaction (you should be able to do like ssh nodename and it should login automatically with no interaction)

 

[jrshaw]

I totally understand, I guess for those running clusters or anything that relies on the current port changing it would be a pain.

 

[guletz]

if for "security", you're better off installing fail2ban

In this days fail2ban could not protect enough ssh because mostly attacks are distributed and I can see that the attacker's can adapt very fast. If you change your firewall with fail2ban at 3 attempts block, then you will see in 5-10 min that mostly atacks will try to connect using only 2 connect / ip.

So changing ssh port will help(I see 30% less attacks ) but not 100%. A good solution is to use a smart router who can do port knocking for ssh, and for other ports (tcp/8006).

Good luck / Bafta.

 

[guletz]

if you really want to do it, you can change the default port for both the client and the server (for every node) such that the regular ssh commands still work without user interaction (

... or do like this: leave the ssh server to run on tcp/22 for any pmx host (permit access on port 22 only for pmx host IPs), and create a new rule for any other non PMX IPs to redirect from port xxxx to local tcp/22)

Good luck / Bafta

 

[lhorace]

Orrrrr, disable password authentication and keep the system up2date and avoid doing either of the two.

 

[guletz]

disable password authentication

Yes you cand do. But you need to keep the key on something(your brain is excluded in such case). But password can be memorize ....

Good luck / Bafta.

 

[guletz]

disable password authentication

Yes you cand do. But you need to keep the key on something(your brain is excluded in such case). But password can be memorize ....

Good luck / Bafta.

 

[chotaire]

I add an additional SSH port on all proxmox systems, and firewall port 22 so that it can only be used on the LANs. Problem solved. Additionally I install fail2ban or sshguard because them bots -might- find your truely random SSH ports within days. Once I realize my custom ssh port starts getting attacked by botnets, I change it again.

 

[Razva]

hi,

proxmox needs ssh port 22 for the cluster, so it's not recommended to change it since things might not work

why do you want to change the ssh port? if for "security", you're better off installing fail2ban

What if we're talking about a non-clustered environment, where all the nodes are separate?

I add an additional SSH port on all proxmox systems, and firewall port 22 so that it can only be used on the LANs.

Yeah, that was my "plan B", but I don't know if in my specific scenario (non-clustered) is it worth the hustle.