Changing the default port on SSH can make the job of a script kiddie a bit harder but it may bring some problems for other services working on the same port, that’s what happened to me not long ago. In case you have no idea VSFTP runs on the same port as SSH, after changing the default port to 2020 I began to notice that VSFTP transters drop from 80kbps down to 20kbps after checking the VSFTPD configuration (/etc/vsftpd.conf) I found the following problem.

# Make sure PORT transfer connections originate from port 20 (ftp-data).
connect_from_port_20=YES

change to

connect_from_port_20=NO

I guess that VSFTP was only trying to verify that port 20 was being used for transfers, the solution was to change the “YES” to “NO”, after restarting VSFTP the rate of the file transfers went up.

SSH is a secure protocol used for system administration, tunneling and many useful things that a secure encrypted channel can offer. Due to the importance it has on a system attackers tend to make it a priority when scanning for ports. Increasing the level of awareness and security requires common sense to avoid using short password and common user names like “user” on a system exposed to the Internet.

The location of the OpenSSH configuration may vary depending on the Linux distribution you are using, the fundamentals still remain the same.

• When the sign # is present it means previous value

Improve the default configuration

On Debian based distribution the configuration for OpenSSH can be found at.

/etc/ssh/sshd_config

Usually the attacker will scan for common or default ports, SSH uses port 22. In order to reduce the amount of failed attempts on a system change the port to a number above 1024.

#Port 22
Port 1520

OpenSSH offer two protocols SSH1 and SSH2, all just need to is SSH1 is insecure. The solution is to simply select protocol 2.

#Protocol 2,1
Protocol 2

The Root account has no need to be reachable from the Internet, instead create a user with privileges. You do not want to grant the attacker a nuke!. Deny login access to the root account from the Internet.

#PermitRootLogin yes
PermitRootLogin no

Automated attacks benefit from default configurations, like allowing a high number of invalid attempts, limit the number of fails attempts before denying and requiring another attempt.

#MaxAuthTries 6
MaxAuthTries 2

Now lets limit the amount of unauthenticated connection the SSH server will handle at the same time. When we make the numbers smaller than the default of 10 we are making it harder for the attacker to coordinate an attack with multiple connections. The new values tell the SSH server to allow 3 users at the same time then randomly and increasingly drop the connections between 2 / 8.

#MaxStartups 10
MaxStartups 2:40:8

By default the SSH server will hold open an unauthenticated connection for 2 minutes which is a long time in the Internet, 30 seconds is more than enough time to log in.

#LoginGraceTime 2m
LoginGraceTime 30

SSH keys are far more secure than passwords, do not run the risk of an attacker guessing you password. Disable password authentication and only allow access by using SSH keys.

#PasswordAuthentication yes
PasswordAuthentication no

This may seem basic but we are actually giving the attacker a run for his or her money. For the changes to take effect restart OpenSSH.

 /etc/init.d/sshd restart