Skip to main content
Unix & Linux

You are not logged in. Your edit will be placed in a queue until it is peer reviewed.

We welcome edits that make the post easier to understand and more valuable for readers. Because community members review edits, please try to make the post substantially better than how you found it, for example, by fixing grammar or adding additional resources and hyperlinks.

5
  • Not part of the question, but using ssh to connect to my server(s) is not for everyone! It's not http(s).... Would be a couple people, one or two, and the port number would stay, in this fantasy system, private. And no NAT involved either. A Linux box doing the "home router" role (as mentioned in the question). Public IPs only. Commented May 15, 2021 at 18:45
  • 3
    @Breakingnotsobad Depending on where you live, your ISP may be doing NAT too. You can already put SSH on a nonstandard port even with 16-bit port numbers. This does drastically remove the number of automated attempts at exploiting known vulnerabilities and default accounts. It doesn't help against targeted attacks against you, because 16 bits can be enumerated, but a targeted attacker would likely be able to find the 64-bit port number anyway, by managing to MitM or by exploiting a protocol weakness or by attacking some other part of the client or server. Commented May 15, 2021 at 18:49
  • TbH, "my" servers have random ssh ports above 10k, and still, many attacks occur... It's from scripts running 24/7 from all over the world, they scan public IPs and try many ports, it's not really "targeted". A 64b port would likely stop most if not all of that. The ssh service itself is well protected (+fail2ban), but again, in this case, the probability to find such a port is much much less compared to the one of a weakness or a bug in ssh. Commented May 15, 2021 at 18:56
  • 3
    @Breakingnotsobad: Since 64-bit ports aren't a practical option, you can't stop everything. It may help to also have sshd listening on port 22 set up to only allow public-key auth. Some password brute-forcing attempts will get sucked into there, not noticing that's there's another sshd that allows password auth listening on a high port. Commented May 16, 2021 at 18:15
  • @PeterCordes Thanks Peter, positiveness, as usual. The question could be more lengthy and present a concrete case of security, but is actually a mere PoC, since the 63b ports are only fantasy, currently. It was assuming that, behind the scene, all other components are secure, like the ssh configuration. Commented May 17, 2021 at 10:13