The last 4 things are good to do but the 1st one "change the port used" used to be a good idea but with any recent port scanner it is going to pick up the fact that it is ssh just from the helo. Also changing the port was good when not everyone did it. Something like that is only good until everyone starts finding out that people are changing the port. As far as the server's security itself that does not make the server more secure it just keeps script kiddies away. Since when did changing a port ever make anything more secure? Just because you are hiding it elsewhere doesn't mean it is more secure it just means you making it harder to find. the port is still open.

its like closing a window next to your computer and opening one across the room hoping that no one will break in because a different window is open.

It's a lot more improvement than 1% to change ports. So far, all automated (i.e. non-human, such as worms) attacks against SSH go for port 22. By changing port you make it unaccessible to automated attacks going for port 22. This should also lighten your load in terms of all the logged attacks and all the blocked ports. I would assert that this is, in fact, an excellent idea for users with very little to lose (as opposed to a big corporation), simply because those attacking SSH for the home user are much more likely to be coded only for port 22 because they are non-human.

And I disagree with any security philosophy that claims that no one bothers hacking the Average Joe (tm). If this were true, there'd be no mimic sites trying to grab people's passwords, no spam email impersonating legitimate sites, and a host of other attacks would not exist. Thieves will take whatever they can, big or small, if it's worth their time. With automated attacks such as worms and mimic email/website attacks, it's becoming increasingly easier.

The summary of my philosophy: everything can be hacked. However, if it is worth my time to make it more difficult for someone to hack it (in this case, changing something in a text file, which is easy), in any way, shape, or form, I'm going to do it.

Moving the port _DOES_NOT_ improve security at all. not even .01%. Yes, it hides it from worms and automated scripts targeted for port 22.

here is another comparison for changing the port number

instead of leaving your front window in your car down when your not there roll it up and leave the back window down so then no one will break in because your car is more secure.

If there is an SSH vulnerability when sshd is listening on port 22 then the vulnerability is still there when listening on port 2222. You are not improving security at all by moving the port.

I am sorry if I sound rude but people are giving some false information about increasing secuirty on *nix. Like i said a few times it does help keep away automated scripts and scripts kiddies but does not improve security.

Everyone, thanks a lot for your suggestion and the really interesting discussion.

But I have one further question. Say that I have implemented all of the above (which I actually have), so the setup will look like following:

0) Router's admin password and username are changed from the default setting and the password is strong
1) Router blocks all incoming connections except on the SSH port
2) iptables is set up to do the same
3) ssh is set up not to accept remote root logins
4) ssh is using protocol 2 exclusively
5) I have a strong password for my personal user and a scrambled root password
6) DenyHosts is adding offending IPs to /etc/hosts.deny
7) fail2ban adds them to iptables rules

If necessary I can make use of public keys or block IPs based on country of origin.

As someone mentioned above everything is hackable. My question is, with all these improvements in place, isn't this setup pretty much invulnerable to attacks? I surely don't know much about security, but I can think of no way an attacker could get through this provided I don't do anything stupid on my part.

Your example isn't anything like what moving the port does. If you're a home user, it's almost impossible that someone is going to be targeting just you. If they don't see port 22 open, the odds of them bothering to attack you decrease even further.

But automated attacks (worms, bots, whatever) will target port 22 because it's the common denominator. Moving that prevents them from doing so. Much less, if a zero day hack comes out for SSH, it will end up in a worm that's probably (again) programmed for port 22. Moving the port would "hide" your server from bots that assume port 22. Sitting on the same port is betting on the server never having a remote attack vulnerability later on, which is silly.

Case in point: I'm military and I work on UHF radios on aircraft. We don't just encrypt our communications because this makes it easier for someone who's listening in to find our frequency and then try to crack the encryption. We also employ frequency-hopping, i.e. rapidly changing frequencies. SSH is your encryption. Changing the port is your frequency-hopping. Using both is more secure than just one of either on its own. This is in light of the fact that nothing is 100% secure, or ever will be; so we should do all that we can, not just "enough", to maintain security.

nmap, nessus, or any other scanner would catch the fact that it is ssh by the handshake. I stated above that worms and automated scripts would not attack that machine. But that still doesn't make moving the port more secure at all.

If you wanna do all you can to maintain security then you should install SELinux w/ MAC, Grsecurity, All services in a chroot, 2 password authencation with the first password a one-time password, run aide, ckrootkit, and md5 checksums of all files on your system daily.

The fact still remains it that moving ssh to port 2222 and not 22 does not improve the security of ssh at all.

There was a similar conversation that I was part of recently at defcon this year and numerous people said the same thing... That moving ports does not increase security.

freq-hopping is completely different because it changes often. If you want to employ freq-hopping on ssh then write a script to change the port that ssh uses every 30 min and have it notify you of what it changed the port to. Inmarsat deployable kits also use freq-hopping along with the kiv-7 and/or kg-175(taclanes).

I know how your radio's encryption works. The encryption key is a NSA Type 1 encryption and rotates the key every hour. The key itself changes its encryption every hour and keyed with a an/czy-10.
Two totally diffent levels of security. Home security vs National Security

And it's funny you went through all that to say "home security versus national security", yet you just got done saying he should use something on par with national security by going with SELinux + GRSecurity + chroots + blah blah blah. He's a home user, not the NSA. Beyond which, I doubt he's going to want to dedicate one machine to ssh and all that overkill (since I doubt KDE is going to run on that machine afterwards lol), much less to all the setup it's going to take.

It's so much simpler for him to simply switch ports, especially when in real world situations it's extremely rare for anyone with intelligence to be trying to break into a home user's machine. Last I checked, worms and other automated threats do not have very much intelligence coded into them, much less do they go looking for ssh on anything but good old port 22.

Is adding obscurity adding security? No, but it's the easiest way to defeat automated threats without resorting to more than it's worth for a home user. As soon as it strays from port 22 looking for the SSH server, you know it's a real person, and then it becomes a totally different kind of threat.

Please re-read my posts above. I never once said _NOT_ to change the port that sshd listens on. I said that it does not make a server more secure. If there is a worm that affects ssh and it is scanning _ONLY_ port 22 moving ssh to another port does not make ssh secure against that vulnerability is only make it not get tagged by the worm but the vulnerablity still exists in ssh. So my orginal statement that moving ssh to another port does not make ssh more secure is still correct.

In your last post you said

"This is in light of the fact that nothing is 100% secure, or ever will be; so we should do all
that we can, not just "enough", to maintain security."

and now your saying

"without resorting to more than it's worth for a home user"

so is it we need to do everything we can or just enough for worth for a home user?

My key phrase:

This depends on the person. In my opinion, for a home user, the whole SELinux + GRSec + chroots you mentioned is just not worth the amount of time spent on them (unless you're a high value target like Linus or someone else).

To me, fiddling with sshd_config is worth my time. The rest is not.

That still does not explain how moving the ssh port makes the server more secure.

my posts said that moving ssh to another port does not improve security. It does help block worms and automated scripts but does not improve security.

And thats what spawned this debate back and forth.

So if I am missing something on how moving ports makes ssh more secure than please explain it to me.

Guys, the debate about whether or not having OpenSSH listen on a non-default port makes a box more secure will never end. I say this because over the years I've seen the debate happen probably dozens of times right here on LQ, and not once has either side proved the other wrong. So I would like to ask you guys to please try and not use your valuable (and extremely appreciated) time and energy debating this hot-button issue if possible. Trust me, regardless of where you stand, any attempt of yours to prove the other guy wrong will be futile. This thread would be much more productive without the infinite back and forth which this issue always generates.