I have a server where I believe I have disabled root login via ssh. I think it is done correctly, as I cannot login with root myself via ssh, but I would’ve thought that it would be reflected in /var/log/auth.log. Instead, it shows up as failed password entry. Is this intended?

What I’ve done is to uncomment the PermitRootLogin no line in /etc/ssh/sshd_config. Rest of the config file is left at default.

Bonus question: All login attempts by ssh seems to go over some random port (even my own successful logins). Why is this?

  • cyberwolfieOP
    link
    fedilink
    arrow-up
    3
    ·
    1 year ago

    Ok, thanks - so if I understand correctly then, it is listening on port 22 as a default, and not accepting traffic on any port.

    That brings of the question: wouldn’t I be better off changing the SSH-port? And is that so easy as to uncomment the #Port 22 line in the config file and changing the port number to something random, and saving that somewhere? Would I then be able to connect by running ssh myuser@mydomain.com:, or would I need to do anything else to successfully connect?

    • siph@feddit.de
      link
      fedilink
      arrow-up
      11
      ·
      1 year ago

      You would need to specify the new port when using ssh (using the -p$PORT option). Just keep in mind that security through obscurity is not considered secure in itself. You could instead consider a service like fail2ban that automatically blocks connections from certain sources depending on your set parameters.

      • Tanoh@lemmy.world
        link
        fedilink
        arrow-up
        6
        ·
        1 year ago

        You would need to specify the new port when using ssh (using the -p$PORT option).

        You can put a host entry for it in .ssh/config specifying the port.

      • cyberwolfieOP
        link
        fedilink
        arrow-up
        3
        ·
        1 year ago

        Just keep in mind that security through obscurity is not considered secure in itself.

        Do you consider it to not be a helpful measure to take at all?

        I have fail2ban configured - since it is reading from the auth.log, I guess I would not have to make any changes to the configuration there to have it work with a new port?

        • siph@feddit.de
          link
          fedilink
          arrow-up
          3
          ·
          edit-2
          1 year ago

          It’s a mixed bag. Personally I wouldn’t use a non-standard port.

          Consider that port numbers under 1024 are Privileged Ports. You would either have to make sure that no other privileged service is running on the port you want to use for SSH when using another privileged port or you need to make sure that no unprivileged program tries to use the same port as your SSH service when using a non-privileged. Overall it adds a bit of overhead and possible headaches for barely any gain.

          Fail2ban should work with a different port without any further configuration but it might not.

    • grant 🍞@toast.ooo
      link
      fedilink
      English
      arrow-up
      2
      ·
      1 year ago

      It’s recommended you keep the default port because as soon as your IP is known it takes less than 5 minutes to scan every port for an ssh port

      • cyberwolfieOP
        link
        fedilink
        arrow-up
        1
        ·
        1 year ago

        It’s recommended you keep the default port because as soon as your IP is known it takes less than 5 minutes to scan every port for an ssh port

        Fair point! I first thought that would be good, as it would discourage all those random connections. My guess is that they won’t bother spending 5 minutes on each server, and instead just move on to the next when they fail. But then I realized that I don’t really care about those anyway as they’re not getting anywhere with their root:mypassword login attempts.