0

I want to access my Ubuntu server from the internet via SSH storing the client's public key on that server.

In order to increase security I want to use a different port than 22 to reduce risk of a break in into my server (as script kids have to guess that port number).

Is it better to define the port forwarding in the router (like depicted below) or at the server (as described in https://askubuntu.com/a/264048)?

enter image description here

user7468395
  • 103
  • 4
  • 3
    Either way works, but you won't stop SSH activity on the odd port, most service scanners can all ports and they'll come knocking anyways on port 22. Only true way to secure your server from that is to use a "denial of trust" approach and only allow SSH from IPs you trust. – Thomas Ward Apr 24 '22 at 16:19
  • 1
    Either is fine in my opinion. I don't think you will get any definite answer to this. Changing the default port just reduces the number of remote login attempts in the system log. – user68186 Apr 24 '22 at 16:19
  • I might not understand the question correctly, but I think you need both. You need to port forward on the router, and then you also need the server to be listening on that port. – Doug Smythies Apr 24 '22 at 16:22
  • @DougSmythies you can have the router listen to say port 220022 and set it to forward it to port 22 of the IP 192.168.1.200. This way you don't have to edit the sshd_config. – user68186 Apr 24 '22 at 16:25
  • Agreed. There is no option but to do port forwarding at the router. The question is to forward to port 22 internally and do nothing at the server OR forward to port 3074 and also modify the server config. In my opinion, it makes no difference on the internal network. – Doug Smythies Apr 24 '22 at 16:36
  • 1
    I think what @ThomasWard is saying is use something like this. This may work if you have a handful of remote locations (say office and sister's place) to login from. This won't work if you travel a lot and want to login from all the hotel's Internet connection. – user68186 Apr 24 '22 at 16:47
  • You should also use https://manpages.ubuntu.com/manpages/en/man8/sshguard.8.html – FedKad Apr 24 '22 at 16:51
  • sshguard and fail2ban are good choices for denial of repeat login attempts that fail. I strongly recommend using one of those options for adding protection to your SSH server. – Thomas Ward Apr 24 '22 at 17:05
  • 1
    @user68186 that approach can work well if you have a VPN server. I allow access to the remote host only from the VPN server, then I can connect to that from anywhere and then access the remote host. – Organic Marble Apr 24 '22 at 18:23
  • 1
    @OrganicMarble This is a good point. I will add it to my answer if you don't mind. – user68186 Apr 24 '22 at 18:33
  • 1
    @user68186 please, feel free! – Organic Marble Apr 24 '22 at 18:38
  • Feel free to accept one of the answers as correct by clicking on the gray check mark ✓ next to the answer and turn it green ✅. This will indicate your problem is solved and help others. – user68186 Apr 25 '22 at 13:52

2 Answers2

5

It (mostly) does not matter

If you just want to reduce the number of login attempts in the server's system log, either approach is fine.

To be specific here are the two approaches:

  1. You can have the router listen to say port 220022 and set it to forward it to port 22 of the IP 192.168.1.200. This way you don't have to edit the sshd_config in the server.
  2. You can have the router listen to say port 220022 and set it to forward it to port 220022 of the IP 192.168.1.200. This way you have to edit the sshd_config in the server so that it does not listen to the default port 22 and listens to the port you selected.

What about local threats?

If you are worried about someone at your home breaking into your server or someone in a black van parking outside your home and then breaking into your home WiFi network, and then try to break into your server. Then just changing the default port probably won't save you.

Other measures

As pointed out by Thomas Ward in the comments, restricting ssh access to only a few external IP address is a better security measure. See Restrict SSH Access to Specific IP for User for how to do that.

This works if you have a handful of remote locations (say office and sister's place) to login from. It is different if you travel a lot and want to login from all the hotel's Internet.

VPN to solve the "hotel" problem

You will need a VPN service, either provided by your employer or a consumer-grade paid VPN. Then you can add the VPN server's IP address (or a range of IP addresses) to the list of allowed IP addresses. When on the road (in a hotel) connect to the VPN first and then connect to your ssh server.

Stop the Brute Force

There are various tools to stop repeated unsuccessful attempts (brute force) to ssh. fail2ban and sshguard are both highly regarded.

Hope this helps

user68186
  • 33,360
0

In order to increase security I want to use a different port than 22 to reduce risk of a break in into my server (as script kids have to guess that port number).

It doesn't work like that. An attacker that doesn't know how to run nmap won't launch anything novel against you. They may attempt brute force attacks, which you can trivially defend against with good passwords, rate restriction (e.g. fail2ban or sshguard), or simply disallow password logins.

So don't bother. Any attacker that is an actual threat won't be fooled. Remember that the entire internet is regularly portscanned.

vidarlo
  • 22,691