So I setup my first droplet last night and followed the steps to secure SSH and so forth. I then installed ufw and set up a basic firewall, denying everything incoming while leaving a non-standard port open for ssh, which is working just fine for me. When I checked the logs I was somewhat alarmed to see a large number of port scans from all over the place. Mostly they seemed to be looking for 22 or 23 but others popped up as well. I checked those two ports myself, just to be sure the firewall was doing what it was supposed to be doing and all was good. I guess what surprised me was the number I saw as they were coming in about once or twice a minute.
Since my droplet isn’t doing anything yet, I shut it down overnight and when I started working this morning, I was scanned within 15 seconds of booting up! While I’ve played with servers at home, this is my first experience having something really facing the web. So I’m wondering if this is normal behaviour?
Thanks,
A concerned newbie
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
Yes. I would move SSH back to port 22. There’s no real useful reason to change it.
Port Scanning is going to happen when you’re dealing with public facing servers, regardless of their utility (i.e. web server, database server, etc). As long as you’re running a firewall that will block those exceeding a threshold limit, you should be fine.
As for the SSH Port, from a security standpoint, changing the port number is security by obscurity and not a highly regarded practice since it only functions as a very small deterrent. At the same time, even though many people look down upon it, I always change the default SSH port and block all attempts to connect on 22 (TCP & UDP). It’s the default port, it’s well-known, and it’s the first SSH port that will be tried. If you can stop an IP on the first attempt, you won’t need to stop the same IP from trying to connect again.
That said, most attacks aren’t going to be from a single IP, so you’re going to be blocking numerous IP’s that attempt to connect on that port, but that’s simply the nature of running a web server.
Filter out the bad and filter in the good – either way, you filter the traffic. On the backend, a firewall functions as one defense mechanism, as long as your rules are setup correctly. For example, you should have your deny all rule before your allow .... rules. With ufw, that’s as simple as:
ufw disable \
&& ufw default deny \
&& ufw allow 80/tcp \
&& ufw allow 443/tcp \
&& ufw allow 53/tcp \
&& ufw allow 53/udp \
&& ufw allow SSHPORT/tcp
… SSHPORT should be replaced with your actual SSH port, of course :-). If you’re not sure if you set your deny rule before the others, you can simply run:
ufw reset
… to reset ufw and then run the multi-command above which will allow traffic on 80 (HTTP), 443 (HTTPS), 53 (DNS) and SSHPORT which is your chosen SSH port.
Once your rules are in place:
ufw enable
And the firewall is active once again.
Become a contributor for community
Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.
DigitalOcean Documentation
Full documentation for every DigitalOcean product.
Resources for startups and SMBs
The Wave has everything you need to know about building a business, from raising funding to marketing your product.
The developer cloud
Scale up as you grow — whether you're running one virtual machine or ten thousand.
Get started for free
Sign up and get $200 in credit for your first 60 days with DigitalOcean.*
*This promotional offer applies to new accounts only.