SSH Security Through Obscurity - Change the Port, Disable Root Login

When I setup my RedHat AS4 Linux server and connected it to the Internet, I soon saw in my logs that there were unauthorized people trying to login all day long. For the most part these attempted logins were from hacking scripts whose job is to try various common usernames and password until they find a combination that works. Frequently I would see entries in my /var/log/messages file that look like:

Apr  8 14:52:34 as1 sshd(pam_unix)[8217]: check pass; user unknown
Apr  8 14:52:34 as1 sshd(pam_unix)[8217]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=111.111.111.111

While these scripts were never able to login, I did not like that fact that they were able to try to so easily.

My solution to stopping these hacking scripts from trying to login to my server was to just change the port that SSH listens on. It’s simply security through obscurity. I’m not here to argue on whether this will totally protect my server or not since I know there are multiple sides to the argument. You’ll find people who will suggest that I use public/private keys, firewalls, and VPN’s, and for an environment housing sensitive data I do agree with this. However, for my home server I was unwilling to spend any money. I wanted a solution that stopped my problem and took less than 5 minutes of effort.

Here’s how I did it on RedHat AS 4. For other Unix flavors I’m sure the same approach can be taken, however the appropriate config files may be in different locations.

First open up the sshd_config file in your editor.
```
vi /etc/ssh/sshd_config
```
In the configuration file, specify the port that SSH listens to. In the default configuration file that’s included with Linux distros, you’ll see a line that says #Port 22. This is the line to control the default port that SSH listens too, and is commented out. Change it to read:
```
Port 14
```
Through this example I simply changed the port SSH listens on to port 13.
Two other changes I always make are to disable the root user from logging in directly through SSH and to set the LoginGraceTime. The LoginGraceTime configures the server to disconnect the user after a set amount of time if they have not successfully logged in. Since I don’t directly allow root to login, if I need to become root I login as a valid user account and then sudo to root. Both of these changes can be accomplished by setting the following in sshd_config:
```
LoginGraceTime 30s
PermitRootLogin no
```
Nobody should be logging into your SSH server without a password, so lets ensure that users without passwords set can't login.
```
PermitEmptyPasswords no
```
Lets not let people try forever to login with an invalid password under the same connection. Disconnect then after two invalid passwords have been specified.
```
MaxAuthTries 2
```
Setup SSH to use only Protocol 2. It is a little more secure. By default my RedHat Linux AS 4 config file had Protocol 2,1 specified in it. Change it to read:
```
Protocol 2
```
The last step is to restart SSH. As root run the command:
```
/etc/init.d/sshd restart
```

Your SSH server should now be listening on Port 14. Before configuring SSH to run on a new port, you should first ensure that nothing else is listening on that port.

If this configuration is successful, you’ll now have to specify the port to connect to when SSH’ing into your server. If using the SSH command line, the appropriate option is ssh -oPort=13. The command to SSH into my server is now:

ssh -oPort=13 someuser@timarcher.com

That’s it, you’re done! I do know that these simple changes made it a little bit harder to login to my server and my problem of unauthorized login attempts throughout the day has stopped.