arrow_upward

Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
What are the consequences of changing port 22 on your VPS to a different number?
#1
I'm having a problem for the very first time since I've owned a VPS with my IP.  I have a feeling it is a bad IP as a huge variety of IPs and sources have been trying to access my VPS since 16 June - here's a small sample of what I've been getting from 16 June to date (I took a list of lastb for all of the bad login attempts since I took ownership of the IP).  What IPs are the ones that aren't straight IPs like have text in them?

Note that I've also taken a list of the successful login attempts, and they were only my IP.  Only the number of my actual logins.

Also note that this is not my post4vps VPS - it is one that I have with HostUS - and the first time that it has ever happened to me with an IP from them - I've had a good few.

Spoiler Expand
ftpuser  ssh:notty    139.255.57.42    Tue Jun 26 09:31 - 09:31  (00:00)
nas      ssh:notty    125.208.9.204    Tue Jun 26 09:27 - 09:27  (00:00)
nas      ssh:notty    125.208.9.204    Tue Jun 26 09:27 - 09:27  (00:00)
nas      ssh:notty    125.208.9.204    Tue Jun 26 09:27 - 09:27  (00:00)
nas      ssh:notty    125.208.9.204    Tue Jun 26 09:27 - 09:27  (00:00)
oliver   ssh:notty    189.254.33.157   Tue Jun 26 09:26 - 09:26  (00:00)
oliver   ssh:notty    189.254.33.157   Tue Jun 26 09:26 - 09:26  (00:00)
student0 ssh:notty    159.203.191.201  Tue Jun 26 09:25 - 09:25  (00:00)
student0 ssh:notty    159.203.191.201  Tue Jun 26 09:25 - 09:25  (00:00)
james    ssh:notty    121.201.66.39    Tue Jun 26 09:22 - 09:22  (00:00)
james    ssh:notty    121.201.66.39    Tue Jun 26 09:22 - 09:22  (00:00)
test     ssh:notty    118.189.20.130   Tue Jun 26 09:08 - 09:08  (00:00)
test     ssh:notty    118.189.20.130   Tue Jun 26 09:08 - 09:08  (00:00)
root     ssh:notty    218.158.81.87    Tue Jun 26 08:52 - 08:52  (00:00)
gl       ssh:notty    36.250.234.134   Tue Jun 26 08:46 - 08:46  (00:00)
gl       ssh:notty    36.250.234.134   Tue Jun 26 08:46 - 08:46  (00:00)
root     ssh:notty    cpe-74-128-119-9 Tue Jun 26 08:42 - 08:42  (00:00)
student  ssh:notty    122.154.134.38   Tue Jun 26 08:32 - 08:32  (00:00)
student  ssh:notty    122.154.134.38   Tue Jun 26 08:32 - 08:32  (00:00)
django   ssh:notty    115.254.63.51    Tue Jun 26 08:32 - 08:32  (00:00)
django   ssh:notty    115.254.63.51    Tue Jun 26 08:32 - 08:32  (00:00)
root     ssh:notty    200-148-91-38.ds Tue Jun 26 08:31 - 08:31  (00:00)
sshd     ssh:notty    4a.e0.089f.ip4.s Tue Jun 26 08:20 - 08:20  (00:00)
admin    ssh:notty    52.175.38.156    Tue Jun 26 08:20 - 08:20  (00:00)
root     ssh:notty    185.234.218.69   Tue Jun 26 08:07 - 08:07  (00:00)
root     ssh:notty    185.234.218.69   Tue Jun 26 08:07 - 08:07  (00:00)
root     ssh:notty    185.234.218.69   Tue Jun 26 08:07 - 08:07  (00:00)
dhsites  ssh:notty    host180-177-stat Tue Jun 26 07:49 - 07:49  (00:00)
dhsites  ssh:notty    host180-177-stat Tue Jun 26 07:49 - 07:49  (00:00)
dhsites  ssh:notty    host180-177-stat Tue Jun 26 07:49 - 07:49  (00:00)
dhsites  ssh:notty    host180-177-stat Tue Jun 26 07:49 - 07:49  (00:00)
root     ssh:notty    222.29.97.98     Tue Jun 26 07:40 - 07:40  (00:00)
ohs-me   ssh:notty    179.33.29.155    Tue Jun 26 07:28 - 07:28  (00:00)
ohs-me   ssh:notty    179.33.29.155    Tue Jun 26 07:28 - 07:28  (00:00)
ohs-me   ssh:notty    179.33.29.155    Tue Jun 26 07:28 - 07:28  (00:00)
ohs-me   ssh:notty    179.33.29.155    Tue Jun 26 07:28 - 07:28  (00:00)
user     ssh:notty    128.ip-217-182-6 Tue Jun 26 07:22 - 07:22  (00:00)
user     ssh:notty    128.ip-217-182-6 Tue Jun 26 07:22 - 07:22  (00:00)
sql      ssh:notty    213.55.214.171   Tue Jun 26 07:19 - 07:19  (00:00)
sql      ssh:notty    213.55.214.171   Tue Jun 26 07:19 - 07:19  (00:00)
root     ssh:notty    078088077063.pol Tue Jun 26 07:13 - 07:13  (00:00)
system   ssh:notty    c3.dhps.tp.edu.t Tue Jun 26 06:49 - 06:49  (00:00)
system   ssh:notty    c3.dhps.tp.edu.t Tue Jun 26 06:49 - 06:49  (00:00)
proxy    ssh:notty    198.23.150.106   Tue Jun 26 06:48 - 06:48  (00:00)
proxy    ssh:notty    198.23.150.106   Tue Jun 26 06:48 - 06:48  (00:00)
proxy    ssh:notty    198.23.150.106   Tue Jun 26 06:48 - 06:48  (00:00)
proxy    ssh:notty    198.23.150.106   Tue Jun 26 06:48 - 06:48  (00:00)
jonathan ssh:notty    115.111.156.194  Tue Jun 26 06:46 - 06:46  (00:00)
jonathan ssh:notty    115.111.156.194  Tue Jun 26 06:45 - 06:45  (00:00)

If I change port 22 to a different number will that stop these attempts?  And what will the consequences be for my WordPress applications if I change the port number?
Terminal
Thank you to Post4VPS and VirMach for my awesome VPS 9!  
#2
Quote:If I change port 22 to a different number will that stop these attempts?

Yes, if you change the SSH port to a different port number it will stop 100% of all automated bot bruteforce attacks. I would suggest a port number over port 1024 and something rather in the higher ranges.

This will not stop a human hacker from trying it. They might run a port scan on all ports to find out your SSH server port. A way to make it a little harder is to use port knocking. You knock a certain port and once this happens your firewall unlocks the SSH port just for your IP address for a certain period of time in that you have to connect. After that time passes the SSH port will be closed again.

A guide with information if you are interested in this:
- https://www.digitalocean.com/community/t...-on-ubuntu
- https://n0where.net/ssh-port-knocking
- https://www.howtoforge.com/tutorial/how-...on-ubuntu/

Using the above really depends if you are willing to go through extra work before being able to connect to your server.

I personally recommend just changing the SSH port and using asymmetric SSH key authentication with the private and public key principle. Just fully disable password authentication after successfully setting up SSH key authentication. This way any attacker attemping to use a password will be instantly kicked from the server. And any attacker using the wrong private key will also be instantly kicked from the server. Leaving no way to bruteforce access to the server. Together with Fail2Ban this is pretty strong.


Quote:And what will the consequences be for my WordPress applications if I change the port number?

Absolutely nothing will change for your Wordpress applications, your web server, mail server or other server setup. The only thing you would have to do is adjust the SSH port in fail2ban if you use this application. And at your SSH and SCP/SFTP clients you will of course also have to adjust the SSH port to connect to your server.


Welcome to the world of servers - where automated bruteforce attacks on a lot of protocols are as common as birds flying in the sky.
[Image: zHHqO5Q.png]
#3
As Hidden said, using a different port and ssh keys can make your VPS practically impenetrable. As for port knocking, I have never tried it so I'll have to remain agnostic. The idea sounds cool, though.
[Image: jVR9s2p.png]
#4
(06-29-2018, 06:13 PM)Hidden Refuge Wrote: Yes, if you change the SSH port to a different port number it will stop 100% of all automated bot bruteforce attacks. I would suggest a port number over port 1024 and something rather in the higher ranges.

This will not stop a human hacker from trying it. They might run a port scan on all ports to find out your SSH server port. A way to make it a little harder is to use port knocking. You knock a certain port and once this happens your firewall unlocks the SSH port just for your IP address for a certain period of time in that you have to connect. After that time passes the SSH port will be closed again.

A guide with information if you are interested in this:
- https://www.digitalocean.com/community/t...-on-ubuntu
- https://n0where.net/ssh-port-knocking
- https://www.howtoforge.com/tutorial/how-...on-ubuntu/

Using the above really depends if you are willing to go through extra work before being able to connect to your server.

I personally recommend just changing the SSH port and using asymmetric SSH key authentication with the private and public key principle. Just fully disable password authentication after successfully setting up SSH key authentication. This way any attacker attemping to use a password will be instantly kicked from the server. And any attacker using the wrong private key will also be instantly kicked from the server. Leaving no way to bruteforce access to the server. Together with Fail2Ban this is pretty strong.



Absolutely nothing will change for your Wordpress applications, your web server, mail server or other server setup. The only thing you would have to do is adjust the SSH port in fail2ban if you use this application. And at your SSH and SCP/SFTP clients you will of course also have to adjust the SSH port to connect to your server.


Welcome to the world of servers - where automated bruteforce attacks on a lot of protocols are as common as birds flying in the sky.
Thank you for the brilliant advice as per usual @"Hidden Refuge".  My first step will be to change the port number.  Now of course the challenge is what port number to choose?  I've Googled it and they say one should choose a number between 49152 and 65535.  Is there a method that one should use to create a random number in that range?
Terminal
Thank you to Post4VPS and VirMach for my awesome VPS 9!  
#5
@deanhills

It absolutely doesn't matter which one you pick from this range. Automated bruteforce bots are only after default ports either way. Human hackers as said before will run a tool like nmap to scan for all open ports and will find out your SSH port anyway.

When someone uses nmap to scan all ports to find SSH ports the output would look like something below:
Interesting ports on [ipaddressremoved]:
PORT STATE SERVICE VERSION
42500/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
MAC Address: [macaddressremoved] (Intel)
Service Info: OS: Linux
Modified output to represent a SSH server running on a different port.
Original sample output taken from: https://thoughtsbyclayg.blogspot.com/200...rs-on.html
[Image: zHHqO5Q.png]
#6
(06-30-2018, 02:13 PM)Hidden Refuge Wrote: @deanhills

It absolutely doesn't matter which one you pick from this range. Automated bruteforce bots are only after default ports either way. Human hackers as said before will run a tool like nmap to scan for all open ports and will find out your SSH port anyway.
That's great news thanks very much @"Hidden Refuge".  Have just been working on it.  You wouldn't believe how clumsy I felt as I rarely use "vi" or "nano".  Eventually I gave up on "vi" and went for "nano".  I'll put down the steps in a tutorial - maybe you could critique the content as it may be a bit antiquated. Tongue


Well turns out HostUS has a security feature in its Breeze Panel where one can change one's port 22 number to a random number.  
https://hostus.us/panel.html

I couldn't fix VestaCP after I had changed the port number of my VPS from the command line.  Eventually I gave up and decided to reinstall the OS.  I then checked HostUS and found a much easier way to install a random port number. It's a standard security feature with their panel.  It was enormously easy to do.

Only bad luck was that I'd forgotten to back up a new blog I had been working on two days ago.  Darn!  Well I guess that's collateral damage.  I decided not to go into Websites for now, want to learn how to fix the security first - may have to reload the OS again during experimentation.  

I'll check in 24 hours to see what difference the new port will make.  If it is not enough I may go for the other suggestions in the HostUS Breeze Panel and work with keys as well.

Looks as though everything worked out well. I was able to change my port 22 to a random number. Next I created keys with Putty Gen and disabled SSH password authentication on my VPS. All of it is working well.

I had two bad login attempts immediately after I reinstalled my OS, but after I changed the port 22 to a different number I haven't had a single bad login after that.
Terminal
Thank you to Post4VPS and VirMach for my awesome VPS 9!  
#7
The only consequences I can think when you change your SSH port are you wouldnt be able to login into your VPS if you forget it, so better to take note of it, another thing is if you are using firewall to close all port and forgot to open your new SSH port.
#8
(07-02-2018, 05:31 PM)Vuluts Wrote: The only consequences I can think when you change your SSH port are you wouldnt be able to login into your VPS if you forget it, so better to take note of it, another thing is if you are using firewall to close all port and forgot to open your new SSH port.
I also learned the hard way that my VestaCP wouldn't work any longer - it came up with a 502 and no matter what I did including restarting VestaCP - it just wouldn't work even with all of the suggestions of how to tweak the firewall and VestaCP.  I've now learned that with certain aspects of VPSs it is much easier to reload the OS and also reinstall VestaCP than to try and tweak VestaCP.  What was nice for me though is that after I had reloaded the OS and reinstalled VestaCP, VestaCP was able to pick up on the new port number automatically.  That I found interesting.  Everything after that worked perfect as well.  No issues with any of my usual installations and working with WordPress.  Right now I'm a very happy camper.  I spent a good portion of yesterday reloading all of my Websites and am now back where I was before the issue with the bad logins grabbed my attention.  It was worth it for me.  From now on I'll change my port number of a VPS as standard procedure.  Depending on how secure my VPS is, I'll also remove password authentication and use PuTTy Gen keys.
Terminal
Thank you to Post4VPS and VirMach for my awesome VPS 9!  
#9
@deanhills Also include it into your VPS security by setting up fail2ban not just standard but set it up the way that your VPS will sending an email to you for every failed attempt.


person_pin_circle Users browsing this thread: 1 Guest(s)
Sponsors: VirMach - Host4Fun - CubeData - Evolution-Host - HostDare - Hyper Expert - Shadow Hosting - Bladenode - Hostlease - RackNerd - ReadyDedis - Limitless Hosting