Share

Question

I’m trying to secure my environment to possible intruders and i’m wondering what is the difference between ssh and sshd. I’ve already disabled clear text passwords and i’d like to know if i can turn off sshd? Or will that stop me from logging in myself. Thanks.

Answer 1

jtittle1 May 18, 2017

@ariziragoran

The client is ssh, the daemon is sshd.

If you disable sshd, you won’t be able to login remotely, so you’d effectively be locked out of the server. You’re only means of logging in at that point would be via console, though console doesn’t accept SSH Keys – only passwords, so you’d essentially lock yourself out of console as well.

sshd is what listens for an incoming connection – i.e. when you attempt to connect via SSH from your local PC/Mac/Laptop/etc.

If you disable ssh, you won’t be able to use SSH to connect to other machines (such as in the event you need to copy files from one server to another).

Reply Report

ariziragoran May 18, 2017

So i do need sshd, do you recommend changing the port from 22 to something else? I’ve read a lot for it and against it and i’m not really sure. But i’ve created my server yesterday and i’m getting spammed with constant fail2ban emails about unauthorized attempts to log in :(
Reply Report
- jtittle1 May 18, 2017
  
  @ariziragoran
  
  If you disable sshd, you won’t be able to login to your Droplet, so you need to keep it up and running. Port 22 is the default SSH port, thus it’s well-known and commonly a target. You’re free to change the listening port, though it won’t stop someone who’s persistent.
  
  There are plenty of tools online that one could use to scan for open ports, so even if 22 is closed off, a port scan would most likely reveal that another port is open, which they can then target.
  
  The only way around this would be to firewall off the port and limit it’s access to a certain IP or IP range. If you have a dynamic IP, you’d need to setup a VPN that will allow you to have a static IP, otherwise you’d end up locking yourself out the moment your ISP changes your IP.
  
  Using the firewall to block access by IP will ensure that connection attempts from any IP that isn’t white listed will fail.
  
  Reply Report

Answer 2

ariziragoran May 18, 2017

So i do need sshd, do you recommend changing the port from 22 to something else? I’ve read a lot for it and against it and i’m not really sure. But i’ve created my server yesterday and i’m getting spammed with constant fail2ban emails about unauthorized attempts to log in :(
Reply Report
- jtittle1 May 18, 2017
  
  @ariziragoran
  
  If you disable sshd, you won’t be able to login to your Droplet, so you need to keep it up and running. Port 22 is the default SSH port, thus it’s well-known and commonly a target. You’re free to change the listening port, though it won’t stop someone who’s persistent.
  
  There are plenty of tools online that one could use to scan for open ports, so even if 22 is closed off, a port scan would most likely reveal that another port is open, which they can then target.
  
  The only way around this would be to firewall off the port and limit it’s access to a certain IP or IP range. If you have a dynamic IP, you’d need to setup a VPN that will allow you to have a static IP, otherwise you’d end up locking yourself out the moment your ISP changes your IP.
  
  Using the firewall to block access by IP will ensure that connection attempts from any IP that isn’t white listed will fail.
  
  Reply Report

Related

Question

Difference between ssh and sshd

Leave a comment

Looking for something else?

Share

Share your Question

Related

Question

Difference between ssh and sshd

Leave a comment

Related

question

Is it possible to configure an sftp user for uploading and editing but NOT downloading files?

question

Set umask for another user

question

OpenLDAP Internal and External Authentication

question

How To FIX CVE-2016-4484 on Ubuntu 16.04.1 LTS?

Looking for something else?

Almost there!