I have a server where I believe I have disabled root login via ssh. I think it is done correctly, as I cannot login with root myself via ssh, but I would’ve thought that it would be reflected in /var/log/auth.log. Instead, it shows up as failed password entry. Is this intended?

What I’ve done is to uncomment the PermitRootLogin no line in /etc/ssh/sshd_config. Rest of the config file is left at default.

Bonus question: All login attempts by ssh seems to go over some random port (even my own successful logins). Why is this?

  • StarkZarn@infosec.pub
    link
    fedilink
    English
    arrow-up
    3
    ·
    1 year ago

    That all sounds correct to me. The random port you’re seeing in the logs is a high port, often referred to as an ephemeral port, and it is common for source ports. All good there.

    • cyberwolfie@lemmy.mlOP
      link
      fedilink
      arrow-up
      0
      ·
      1 year ago

      Ok, thanks - so if I understand correctly then, it is listening on port 22 as a default, and not accepting traffic on any port.

      That brings of the question: wouldn’t I be better off changing the SSH-port? And is that so easy as to uncomment the #Port 22 line in the config file and changing the port number to something random, and saving that somewhere? Would I then be able to connect by running ssh myuser@mydomain.com:, or would I need to do anything else to successfully connect?

      • siph@feddit.de
        link
        fedilink
        arrow-up
        3
        ·
        1 year ago

        You would need to specify the new port when using ssh (using the -p$PORT option). Just keep in mind that security through obscurity is not considered secure in itself. You could instead consider a service like fail2ban that automatically blocks connections from certain sources depending on your set parameters.

      • grant 🍞@toast.ooo
        link
        fedilink
        English
        arrow-up
        2
        ·
        1 year ago

        It’s recommended you keep the default port because as soon as your IP is known it takes less than 5 minutes to scan every port for an ssh port

        • cyberwolfie@lemmy.mlOP
          link
          fedilink
          arrow-up
          1
          ·
          1 year ago

          It’s recommended you keep the default port because as soon as your IP is known it takes less than 5 minutes to scan every port for an ssh port

          Fair point! I first thought that would be good, as it would discourage all those random connections. My guess is that they won’t bother spending 5 minutes on each server, and instead just move on to the next when they fail. But then I realized that I don’t really care about those anyway as they’re not getting anywhere with their root:mypassword login attempts.