Changing the SSH ingress port on a instance

dreamcompute

#1

Why is there is no way for me too choose which SSH port i want to use?
I’ve been running a forum and a TS server live now for a week and i’m seeing a whole list of ssh failed login attempts with the command “lastb”.(I’m guessing trying to brute force their way in.)

Will it even matter if i change the default ssh port?

Offcourse i’ve allready installed and configured fail2ban.
Are there anymore precautions i can take to tighten the security?

What do you guys think is absolutely necessary to run a safe web server?


#2

Great question, it keeps on popping up here and there. You reminded me that I have setup an Ansible role for all my new server and I should hurry up and write a tutorial for that… Basically, here are the very minimal tasks I execute on all the new ubuntu LTS servers:

  • Run apt-get upgrade
  • Install & configure fail2ban
  • Disallow root SSH access (I believe this is the default for DreamCompute instances but better be explicit)
  • Disallow password authentication (same as above, already default but double-checking)
  • Install unattended-upgrades
  • Adjust APT update intervals (daily)
  • Make sure unattended-upgrades only installs from $ubuntu_release-security

Additional steps would be setup the ufw firewall, add the server logs to the log aggregator (if you have one) and add it to the monitoring server. This should cover the very basic… “Safe web server” is a whole different story though: security is a process, you don’t buy it off the shelf. Let’s say that if you run stock software, keeping it up to date to the latest supported security update should provide you at least some peace of mind.

By the way, I don’t see why you shouldn’t be able to change the default SSH port on a DreamCompute server. If you move it though remember to update the Security Groups accordingly.


#3

there are always port scanners running looking for port 22

always edit your config /etc/sshd/ and change the port to something else

yes disable root

and a ufw/iptables to block traffic on ports you dont want


#4

I just set up a dream compute instance and changed the ssh port (in sshd_config) to not 22.
I also went to the security group section of the console and set up new ingress rules to allow that port for all incoming ips (0.0.0.0/0). I was previously able to ssh into my instance on port 22 and changed nothing else but the port in my sshd_config file. Unfortunately, I had not set up a default password for the default user yet, so I am unable to access the instance from the console and I am completely locked out. I did reboot the server in case the new access rules hadn’t taken affect, but I still cannot access it.

My question is, if I just delete this instance and start over, how can I change the ssh port to something other than 22? If I had set up a default user password first, and then the security group rules, then reboot and change the ssh port last, would that work? Have others here been able to change the ssh port, and if so, what is the right way to do that? Thanks for any hints or suggestions.


#5

you seem to have done all the right steps so all I can think is that somehow SSH daemon is not listening on the port you have opened via security groups or it’s not running at all.

The only thing to do is to start over with a new instance. Besides setting up a password so you can access via console, I suggest you also test the security group connecting remotely with something simple like netcat. Also, you can make SSHD listen to two ports: keep port 22 and add another one, check that it works before removing port 22.

Side note: you don’t need to reboot the instance security groups to take effect.


#6

This topic was automatically closed 20 days after the last reply. New replies are no longer allowed.