Lightbulb Should you change SSH port on VPS?

1. Lightbulb Should you change SSH port on VPS?
2. Hello there, I receive a message asking me to change my SSH port im wondering if this is necessary or not? There's two sides of the argument that ask you to change or not what do you think about it?
3. ++++++++++++++
4. list of top cheapest host http://Listfreetop.pw
5.  
6. Top 200 best traffic exchange sites http://Listfreetop.pw
7.  
8. free link exchange sites list http://Listfreetop.pw
9. list of top ptc sites
10. list of top ptp sites
11. Listfreetop.pw
12. Listfreetop.pw
13. +++++++++++++++
14. Hi dear ,these are the primary security issues of a server So Yes change ssh and other port default on the server
15. Site : Roobinaserver.com
16. (Provider Dedicated/Colocation/VPS/VDS/Host) in Iran/Tehran (Monitoring 24/7) - start date: 2006
17. Access free to Telephone my office company from internet for Iranian in out of iran
18. Payment with Rial OR Dollar and Euro and lir by send swift.
19. If your server is under attack then changing the port may buy you some time. But it's only a temporary solution, because attackers will find the new port eventually.
20.  
21. If you're worried about security, it would be much better to spend time doing things like disabling password logins completely (use authentication keys instead). If your server is secure then you don't care about port numbers.
22.  
23. Also using non-standard port numbers can cause operational problems, and even reduce security (for example if you change to a non-privileged port above 1023, or prevent a utility like fail2ban doing its job).
24.  
25. If your host is asking you to do this just because it's "best practice" then it's time to start looking for a new host (and make sure you have backups)! It may have been good practice in 1990 but times have changed.
26. Phil McKerracher
27. www.beeches.it
28. Not a hosting company, but I fix hosting problems
29. This couldn’t be more wrong , ALL of it
30.  
31. Should you change the port? Absolutely, this should be mandatory everywhere. No, someone isn’t going to randomly find it, especially if you have that port firewalled off to all but trusted computers and have a proper firewall built in
32.  
33. Should you do more? Sure? Disable password logins for everyone , require keys, get a proper firewall, a WAF and server based firewall . However that doesn’t mean changing the port isn’t a necessity
34.  
35. hosteleria y turismo
36. ezsearchenginesubmission.com
37. host-64h
38. x hostel bucharest contact
39. hosting tips
40. www.platinumservermanagement.com
41. zoomshare.com
42. hosting information
43.  
44. Also, take a good look at login duo for ssh. This will help with a lot of things
45. It's highly recommended to change the ssh default port in the security viewpoint. But it's not a must, also install a good firewall on your server.
46. NixUser.com
47. I don't see the harm in changing your SSH port. It's pretty common practice. It would be great to get a good firewall installed as mentioned previously as well.
48. Changing the port should only be considered a basic layer of security that needs to be coupled with firewalling the port off, along with firewall rules that block port scans. If you don't firewall the port off and don't have port scan detection and blocking, changing the port only stops basic scans and slows down other scans. You can get away with just firewalling the port off and not change the port, but you have to ensure the firewall is always on and doing its job. Also, another layer of security is the host.allow and host.deny files to block access to none allowed sources.
49. -Steven | u2-web@Cooini, LLC - Business Shared Hosting | Isolate sites with Webspaces | Site Builder | PHP-FPM | MariaDB
50. Hello there, I receive a message asking me to change my SSH port im wondering if this is necessary or not? There's two sides of the argument that ask you to change or not what do you think about it?
51. Yes, we do change the default SSH port to a custom port.
52.  
53. Have a read through what system administrators do as part of hardening process (making a server more secure).
54. ZenHosting
55. Cheap Domains | All hosting needs covered from Cheap Web Hosting to Dedicated Servers | Managed & Unmanaged options
56. Visit https://www.zenhosting.com.au for top value Australian Web Hosting
57. It won't hurt to change it but you need to put more security measure not just changing the port.
58. Yes change it.
59. I can only think of positives for changing it and no negatives.
60. Changing the port should only be considered a basic layer of security that needs to be coupled with firewalling the port off, along with firewall rules that block port scans.
61. When you say 'firewalling the port off', after changing the port number, are you referring to making it stealth? Because both an open and closed port would be visible to the outside world.
62.  
63. Just trying to understand it correctly.
64. I believe, he meant to close the default port in firewall after changing it.
65. NixUser.com
66. I think it's a good idea to change to non-standard port, just to get rid of some of the automatic scanning and brute forcing.
67.  
68. But, as other have said, this is not a serious security measure, you should do more. ^
69. Hello there, I receive a message asking me to change my SSH port im wondering if this is necessary or not? There's two sides of the argument that ask you to change or not what do you think about it?
70. Hello
71.  
72. This is the first thing you need to do when you rent a VPS or a dedicated server. This is for security because you will get a lot of attacks on ssh and by changing the ssh port you could stop for a while those attacks and keep your logs cleaner and for extra security you could use fail2ban and enable ssh jail but don't forget to change ssh port on fail2ban config with the new changed port
73. I can only think of positives for changing it and no negatives.
74. That's the problem, and that's why I used to do it myself, and it's why there are strong opinions and flame wars about this. If you google "security through obscurity" you will find lots of discussion and many pros and cons.
75.  
76. Here are a couple of negatives you may not have considered. You may or may not consider them important - that's down to judgement and experience and I'm not going to argue with that, I just offer them as information in case you haven't thought about them.
77.  
78. 1. Let's say one of your users has a really weak password like "123456". If you enable SSH on port 22 you will most likely be completely pwned in minutes. If instead you enable SSH on port 220 nothing may happen for days or even months. Statistically that's more secure, right? BUT you still haven't fixed the original problem and you've made it harder to find because you've lost the correlation between the two events.
79.  
80. Now suppose you fix the cause (by changing everyone's password to something long and unique or by disabling SSH passwords completely and using keys). That's a lot of inconvenience for users, right? BUT it solves that particular problem and it's less inconvenient than dealing with a hacked server. Now you really don't care about brute force password attempts on SSH at all. And on closer inspection of the logs you see that they weren't true "brute force" attacks anyway because there are only a few hundred a day and you would need trillions a day actually to force a password. They were just "rattling the door handles" looking for trivial passwords and you definitely don't want those on your system.
81.  
82. 2. The other hidden problem is that you might pick a non-standard port that conflicts with something else. This really happened to me - I wasted a frustrating weekend when something completely different stopped working due to a port clash. I also once wasted quite a lot of time failing to get rsync backups to work, first forgetting that the SSH connection wouldn't work unless I explicitly set the port number, and then setting the wrong number (for the other end of the link). That was my fault, but my point is from a security point of view that time would have been better spent checking the password settings or monitoring access logs.
83. Phil McKerracher
84. www.beeches.it
85. Hello,
86. you can change port or you can install fail2ban and enable ssh rule , and if someone try enter wrong passwd they will be suspended by firewall.
87.  
88. yum install fail2ban*
89.  
90. This command help you, but if you does not have system administration skills better for you open ticket to your hoster or found someone who can help you.
91. QIS.HOST Quality Dedicated Servers 1GBPS-100GBPS | Pure SSD VPS | Fast SSD Shared Hosting
92. Follow us on Twitter:@QIS_HOST
93. support @ qis.host
94. you can change port or you can install fail2ban and enable ssh rule , and if someone try enter wrong passwd they will be suspended by firewall.
95. We're getting off-topic here because this thread's not about fail2ban, but just a word of warning to anyone reading this that fail2ban looks like a good idea but I have found it can do more harm than good.
96.  
97. The hackers are well aware of fail2ban and they get around it by trying each username a few times (typically less than 10) and then moving to a new IP address. They have botnets with thousands of addresses (I measured 300,000 in a month). I used to increase the default timeout in fail2ban to a couple of weeks and it reduced the attacks for a while but then they got wise to that and just waited a month before recycling addresses. You can also reduce the number of failures allowed before blocking (it has to be a minimum of 2, fail2ban doesn't work well with 1) but again that doesn't have much effect because they just use new IP addresses. If you examine your logs carefully you will find that there is no possible rule that can block these "door handle rattlers". So fail2ban is becoming pretty useless except for sustained DoS-type attacks. The default timeouts in fail2ban have hardly any effect at all now, in my experience.
98.  
99. Fail2ban has a hidden disadvantage as well. If several of your users share the same external IP address (which is common for companies or even households behind a NAT router) then if one user mistypes a password, everyone in the building gets locked out of the server for a while. This is a common problem when using fail2ban on email ports in particular. You can "whitelist" the offending address but only if they have a static IP (which often costs more). It causes users a lot of distress and wastes a lot of support time, which is why the default timeouts in fail2ban are quite short.
100. Phil McKerracher
101. www.beeches.it
102. Not a hosting company, but I fix hosting problems
103. Question on this thread is "Should you change SSH port on VPS?" and answer is YES, but need do other steps to protect your server.
104.  
105. Change SSH port it's only one from many of many points.
106.  
107. Also i noticed if you have't any system administration skills, then better ask a professional to do it.
108. QIS.HOST Quality Dedicated Servers 1GBPS-100GBPS | Pure SSD VPS | Fast SSD Shared Hosting
109. Follow us on Twitter:@QIS_HOST
110. support @ qis.host
111. Absolutely change the SSH port to something non-standard. Just setup a machine on an IP and watch how many login attempts you get.. There's bots which'll hammer your SSH port day and night - just to avoid this traffic it makes sense to me.
112.  
113. But, don't JUST change the port. Disable password, use keys, lock the firewall for the new port to TRUSTED IPs only - so even if someone finds the port, they still can't connect due to the firewall rules.
114. Dan Rodgers - Managing Director - allthe.domains
115. 800+ Domain Extensions Supported | Nominet & CentralNic Accredited Registrar | SuperFast SSD Cloud Hosting | 24x7x365 UK-based Support
116. When you say 'firewalling the port off', after changing the port number, are you referring to making it stealth? Because both an open and closed port would be visible to the outside world.
117. Depends on the firewall used (straight iptables, firewall-cmd, CSF, etc) but a rule that allows connections only from "trusted" IPs -- like jump ssh server or a VPN and drops or rejects others. On a nmap scan this will show as filtered, but so would other unused ports (if using default iptables). If you want to close a port, with iptables you need to have another rule after the whitelisting rules to then DROP the connection. You want to match the behavior so that unused ports give the same result as your "protected" port in a nmap scan as otherwise you leak information.
118. -Steven | u2-web@Cooini, LLC - Business Shared Hosting | Isolate sites with Webspaces | Site Builder | PHP-FPM | MariaDB
119. WHMCS Modules: Staff Knowledgebase | Custom Modules and Hooks
120. "It is the mark of an educated mind to be able to entertain a thought without accepting it" -Aristotle
121. If your host is asking you to do this just because it's "best practice" then it's time to start looking for a new host (and make sure you have backups)! It may have been good practice in 1990 but times have changed.
122. WHATTTTTTTTT? Poor host If people take your advice all hosts are out of business
123. I believe we should all work on a new standard of forcing SSH keys, this alone would prevent so many hacked servers from ever happening. I know that Ubuntu server on default asks if you want to import a ssh key which is great to see.
124.  
125.  
126. I believe the biggest problem is people not understanding how to use or setup a key.
127. PUREVOLTAGE.COM Premium Colocation, Dedicated & VPS Hosting
128. ? Custom built Dedicated Servers to fit your needs. AMD/Intel servers, 10G,20G+ High Bandwidth
129. Enterprise Hardware, with 6 Global Locations - Seattle | Chicago | Dallas | Los Angeles | New York | Amsterdam
130. I believe we should all work on a new standard of forcing SSH keys, this alone would prevent so many hacked servers from ever happening. I know that Ubuntu server on default asks if you want to import a ssh key which is great to see.
131. I believe the biggest problem is people not understanding how to use or setup a key.
132. I completely agree and I do this myself.
133.  
134. An alternative that might be almost as good would be to give each SSH user a long unique password and then prevent them changing it (chmod the passwd command). Or lock access to their IP addresses if that's practical (often it isn't). At least for sudoers.
135. Phil McKerracher
136. www.beeches.it
137. Not a hosting company, but I fix hosting problems
138. Keys are good but they need protecting just as much as passwords and no the password on the key isn't protection as it can be cracked.