On Tue, Nov 18, 2014, at 11:45 AM, Zack Weinberg wrote:
On Tue, Nov 18, 2014 at 11:15 AM, Toralf Förster toralf.foerster@gmx.de wrote:
On 11/18/2014 04:28 PM, Jeroen Massar wrote:
People should realize though that it is not 'safer' in any way running SSH on another port.
But it is (slightly) more expensive - which counts, or ?
In my limited experience, moving SSH to another port made no apparent difference to the number of random attempts to break in. I'd recommend fail2ban or equivalent instead.
zw
I definitely agree with this. I don't have hard metrics to share but in my time working for a hosting provider, I saw very limited benefit to changing the default port. Yes, some scanners and software won't scan you if you aren't running on port 22 but the amount of scanning that also covered non-standard ports made it mostly a moot point. However, you're mileage may vary based on your provider (certain ip blocks are hit harder/more frequently than others). Fail2ban generally provides better protection that strictly using a different port as far as I've seen.
As, Libertas said, pub key auth is generally best... or even for some, disabling SSH altogether may be possible. If your relay is a VPS and you have access to a (java) console or some form of IPMI/drac/iLo management, you may not even need ssh access but these could open up additional security issues (particularly old firmware for out of band management).
Regards, Ryan