There's No Protection In High Ports Anymore, Son. If Indeed There Ever Was.

[J65nko]

In http://bsdly.blogspot.ca/2013/02/the...igh-ports.html Peter Hansteen reports about ssh probes on other ports than the standard port 22.

There is also a discussion at slashdot

[asemisldkfj]

Non-standard SSH ports have always been a poor security measure and more of a pain in dealing with client configuration than they're worth. Public key auth FTW! PasswordAuthentication No is always one of the first edits I make to sshd_config.

[Ninguem]

1. Using the standard port of 22 is asking for trouble. Whenever I enable ssh, the port number for logging into will constantly be changed.
2. The password will constantly be changed.

Paranoia is good.

[jggimi]

Ninguem,

This is "security through obscurity" and only provides a false sense of security. And best practice is to replace passwords with a better authentication system, such as PKA with passphrases

[J65nko]

On the Freebsd server I administer, I moved ssh to another port, only to get rid of those annoying messages in the log file.

[asemisldkfj]

Luckily I use SSH on such a small network that the authlog messages aren't too annoying, but FWIW it's fairly easy with pf to block traffic from hosts that complete too many TCP handshakes on port 22 in too short a window of time.

With these lines in pf.conf, if a host connects over port 22 more than three times in ten seconds they're added to the brutes table and any existing states involving that host are removed:

Code:

table <brutes> persist
block quick from <brutes>
pass in on egress inet proto tcp from any to (egress) port 22 keep state (max-src-conn-rate 3/10, overload <brutes> flush global)

Edit: relevant section of pf.conf man page

[asemisldkfj]

There's also fail2ban which according to this blog post can be integrated with pf with a little bit of manual configuration.