Using port 2222 may not prevent any real hackers from discovering it, but it sure does prevent a lot of them scripttkiddie attacks that use automated software.
With ssh, over 90% of the vulnerabilities are abusing the password mechanism. If you setup pre-shared keys, you are preventing the most common abuses, including in the realm of zero days.
The idea behind keys is always, that keys can be rotated. Vast majority of websites to that, you send the password once, then you get a rotating token for auth.
Most people don’t do that, but you can sign ssh keys with pki and use that as auth.
Cryptographically speaking, getting your PW onto a system means you have to copy the hash over. Hashing is not encryption. With keys, you are copying over the public key, which is not secret. Especially managing many SSH keys, you can just store them in a repo no problem, really shouldn’t do that with password hashes.
Privileged ports can be used by processes that are running without root permissions.
So if the sshd process would crash or stop for some other reason, any malicious user process could pretend to be the real ssh server without privilege escalation.
To be fair this isn’t really a concern for single user systems.
But setting up fail2ban or only making ssh accessible from a local network or VPN would probably be a more helpful hardenening step
And regarding port 2222 it is the most popular non-provileged port used for SSH according to shodan.io So you ain’t gaining much obscurity
Privileged ports can be used by processes that are running without root permissions.
I guess you mean unprivileged ports?
So if the sshd process would crash or stop for some other reason, any malicious user process could pretend to be the real ssh server without privilege escalation.
Not really, except on the very first connection because you need access to the root-owned and otherwise inaccessible SSH host key, otherwise you’ll get the message a lot of people have probably seen after they reinstalled a system (something like “SOMEONE MIGHT BE DOING SOMETHING VERY NASTY!”).
Just use wireguard as VPN and bind ssh only to that interface. You loose public access but I couldn’t think of a reason why I want other devices than my own to connect anyway.
You have to make sure that ssh starts after wireguard though or it can’t bind the port.
Running SSH on a non-provileged port brings new issues. And using 2222 doesn’t bring any meaningful security by obscurity advantages.
The rest of the options look nice. It would have if there would be explanations on what the options do in the example configs
Which issues are you referring to?
Using port 2222 may not prevent any real hackers from discovering it, but it sure does prevent a lot of them scripttkiddie attacks that use automated software.
Passwordless login only. No root login. Fail2ban. Add ufw to stop accidental open port shenanigans, and you are locked down enough
We can go harder: port knock to open the port to a cert-only VPN (on top of all that)
https://wiki.archlinux.org/title/Port_knocking
Felt a bit like a faff to me, so I never bothered. Does depend upon your threat model though
Totally.
Port knocking is one of those “of course someone did that” things to me too. A replay attack is enough to make it security theater.
An IP allowlist is a more useful addon.
Never understood this
I don’t think that anyone or anything, computer or mentalist, will guess my 40+ characters long password
With ssh, over 90% of the vulnerabilities are abusing the password mechanism. If you setup pre-shared keys, you are preventing the most common abuses, including in the realm of zero days.
Oh I see, ty !
Are you setting and managing other’s passwords?
Especially paired with Fail2Ban preventing any brute force attempts.
But with a WireGuard setup, you need not have the port exposed at all.
The idea behind keys is always, that keys can be rotated. Vast majority of websites to that, you send the password once, then you get a rotating token for auth.
Most people don’t do that, but you can sign ssh keys with pki and use that as auth.
Cryptographically speaking, getting your PW onto a system means you have to copy the hash over. Hashing is not encryption. With keys, you are copying over the public key, which is not secret. Especially managing many SSH keys, you can just store them in a repo no problem, really shouldn’t do that with password hashes.
Privileged ports can be used by processes that are running without root permissions. So if the sshd process would crash or stop for some other reason, any malicious user process could pretend to be the real ssh server without privilege escalation. To be fair this isn’t really a concern for single user systems. But setting up fail2ban or only making ssh accessible from a local network or VPN would probably be a more helpful hardenening step
And regarding port 2222 it is the most popular non-provileged port used for SSH according to shodan.io So you ain’t gaining much obscurity
I guess you mean unprivileged ports?
Not really, except on the very first connection because you need access to the root-owned and otherwise inaccessible SSH host key, otherwise you’ll get the message a lot of people have probably seen after they reinstalled a system (something like “SOMEONE MIGHT BE DOING SOMETHING VERY NASTY!”).
Just use wireguard as VPN and bind ssh only to that interface. You loose public access but I couldn’t think of a reason why I want other devices than my own to connect anyway. You have to make sure that ssh starts after wireguard though or it can’t bind the port.