Most UNIX/Linux administrators are familiar with SSH and its ability to secure administration settings. If SSH has a failing, it is that it is constantly being probed by attackers who are attempting to brute force well known accounts. DShield logs approximately 80,000 to 90,000 SSH server probes on a daily basis.
Of course the best way to protect yourself is to use public/private key authentication or extremely strong passwords. This however does nothing to reduce the daily noise written to /var/log/secure from all of the above mentioned probes. To reduce the noise level, your best bet is to run your SSH servers on an alternate TCP listening port.
First, a standard disclaimer. Running SSH on a non-standard port is simply a bit of security through obscurity. It will hide your SSH server from the casual prober, but it will not hide the server from someone who is targeting you specifically. In a way, this can be helpful, as it simplifies the process of segregating true threat sources from the causal scanners. Just keep in mind that if you do not combine hiding the SSH server port with a strong authentication policy, someone may still eventually break in.
Identifying which Port to Use
The first thing we should do is identify what TCP ports are already in use on the server. To do this, assume root permissions and run the following command:
netstat -an | grep ‘LISTEN‘
Note there is a space between the “N” in “LISTEN” and the final single quote character. If you forget the space you’ll get far more output then you need to look at. When you run the command, you should see something similar to this:
[root@fedora-policy-test ~]# netstat -an | grep 'LISTEN '
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN
tcp 0 0 :::80 :::* LISTEN
tcp 0 0 :::22 :::* LISTEN
tcp 0 0 ::1:631 :::* LISTEN
In the third column, you’ll see a number listed after the colon. This is the TCP port number being used by each applications listening on the server. For example the first line shows us TCP/22 is listening, which is the well known listening port used by sshd. This is the port we wish to change.
The other listed ports are being used by other applications. So in the above output I can see TCP ports 22, 631, 25 and 80 are all in use. TCP ports range from 1-65,535 so I can technically use any port in that range besides the ones listed above. To avoid conflicts however, it’s best to select a port above 10,000. For the purpose of this exercise we’ll tell sshd to listen on TCP/12221.
Configuring the Server
We’ll need to edit the sshd_config file on your server. Where the file is located will depend on your distribution. The most common location is in the /etc/ssh directory. I have seen some distributions locate it under /etc. If you have trouble finding the file, run the command:
find / -iname sshd_config
If this search comes up empty, OpenSSH is not installed on the server.
Once you have sshd_config open for editing, search for a line that reads:
The parameter may be commented out with a pound character like this:
That’s OK. We’ll simply remove the pound character while editing the port number. In either case, change the entry to look like this:
Save your changes and exit the file. DO NOT RESTART THE SSH SERVER YET! We have a few final tweaks to perform prior to implementing our changes.
Modify the Firewall Rules
We are going to modify the firewall rules in two passes. This is to ensure our connectivity to the server does not become broken half way through the process. If you are using Halo, simply logon to your account and add a new inbound firewall rule permitting access to TCP/12221.
Now, in your previous SSH session, restart the SSH server the same way you would normally restart any process on your particular Linux distribution. For example if you are a Red Hat or Fedora user, you can restart the SSH server with the command “service sshd restart”. You should not receive any errors when the server reloads.
Now, do not exit your current active session. Open a second terminal window and connect to the server using the new alternate listening port. This is done using the “-p” switch. Here’s an example:
ssh -p 12221 email@example.com
Openssh, used by many of the Linux and Unix flavors, including Mac OS/X, uses a file called “config” to store commonly used options like Port. If you choose, you can open that file and add a section similar to the following up near the top of the file:
With this change you no longer need to add “-p 12221“ to each command line.
Once you’ve connected to the server via the alternate port, you have validated functionality. We only have two final steps to perform. First, exit the original SSH session you created on TCP/22. Finally, edit your firewall rules removing inbound access to TCP/22. This completes the conversion and you can now enjoy the reduced number of entries in your /var/log/secure file!