Related

Is it possible to configure an sftp user for uploading and editing but NOT downloading files? Question Question
Set umask for another user Question Question

Question

Difference between ssh and sshd

Posted May 18, 2017 33.1k views
SecurityUbuntu 16.04

I’m trying to secure my environment to possible intruders and i’m wondering what is the difference between ssh and sshd. I’ve already disabled clear text passwords and i’d like to know if i can turn off sshd? Or will that stop me from logging in myself. Thanks.

Add a comment
ariziragoran
By:
ariziragoran
Add a comment

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
1 answer
jtittle1 May 18, 2017

@ariziragoran

The client is ssh, the daemon is sshd.

If you disable sshd, you won’t be able to login remotely, so you’d effectively be locked out of the server. You’re only means of logging in at that point would be via console, though console doesn’t accept SSH Keys – only passwords, so you’d essentially lock yourself out of console as well.

sshd is what listens for an incoming connection – i.e. when you attempt to connect via SSH from your local PC/Mac/Laptop/etc.

If you disable ssh, you won’t be able to use SSH to connect to other machines (such as in the event you need to copy files from one server to another).

Reply Report
  • ariziragoran May 18, 2017

    So i do need sshd, do you recommend changing the port from 22 to something else? I’ve read a lot for it and against it and i’m not really sure. But i’ve created my server yesterday and i’m getting spammed with constant fail2ban emails about unauthorized attempts to log in :(

    Reply Report
    • jtittle1 May 18, 2017

      @ariziragoran

      If you disable sshd, you won’t be able to login to your Droplet, so you need to keep it up and running. Port 22 is the default SSH port, thus it’s well-known and commonly a target. You’re free to change the listening port, though it won’t stop someone who’s persistent.

      There are plenty of tools online that one could use to scan for open ports, so even if 22 is closed off, a port scan would most likely reveal that another port is open, which they can then target.

      The only way around this would be to firewall off the port and limit it’s access to a certain IP or IP range. If you have a dynamic IP, you’d need to setup a VPN that will allow you to have a static IP, otherwise you’d end up locking yourself out the moment your ISP changes your IP.

      Using the firewall to block access by IP will ensure that connection attempts from any IP that isn’t white listed will fail.

      Reply Report
Submit an Answer

Related

Looking for something else?

Ask a new question Search for more help