How to properly secure SSH?

Posted on June 12, 2014

Hello,

I logged into my server today to find out there’s been 157 unsuccessful attempts to login.

I installed and configured fail2ban right away (I hope jail.local is fine). (I forgot to do it…) Protocol 2 is used by default in Fedora - so that’s okay.

I’m not sure if I should change the SSH port though.

https://www.adayinthelifeof.nl/2012/03/12/why-putting-ssh-on-another-port-than-22-is-bad-idea/

http://www.danielmiessler.com/blog/putting-ssh-another-port-good-idea

Do you think it’s a good idea to change it if it’s done properly?

If I use port-knocking it should be okay, right? Or do you think I should leave it alone?

Thank you!

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Andrew SB

June 12, 2014

It’s very often recommended to change the SSH port, in fact our initial server setup guide suggests that you do it:

https://www.digitalocean.com/community/tutorials/initial-server-setup-with-ubuntu-14-04

Of course, there is some debate on the subject. You seem to have already found good opinions on both sides. Personally, I don’t usually change it on my servers. Though that’s because I’ve taken other steps to secure them (and partially laziness!). Installing fail2ban is a good step. I’d strongly encourage that you use SSH key pairs and disable password authentication.