So when we first set-up our remote linux logins, we used the standard SSH port # (22). We use public keys for our SSH logins, so we weren’t especially worried about port scanners and bot attacks,
But it’s a funny thing going over your logs and seeing remote systems (with IP addresses that trace back to China and Russia, if that means anything) that are trying to login, even though we know for certain there are NO AUTHORIZED USERS at IP locations listed. The logins fail, but even so…
So, some time ago, we moved to a different SSH port. It’s not hard – just go to your ssh_config file and pick another unused port. We have seen people pick ‘222’ and ‘2222’ and even ‘22222’ because, well, they associate ‘2’ with SSH. We picked different numbers (and that’s all we are going to say on the subject). Since that time (many months ago), we have not seen a SINGLE ssh login hack. Not one. Such a remarkable outcome was not expected. Even today, going through two log files for our /var/log/auth.log, the only odd IP address we noted was actually from one of our approved mobile devices that was roaming in Europe (so that was not an issue).
It seems hackers are sometimes lazy. They run a port-scan of web sites starting presumably at port 22 and working from there.
We like that. We hope that never changes.
What it tells us is…CHANGE YOUR SSH PORT # FROM 22 to <some-other-number> on any new Linux install. Do not use port 22 unless you enjoy seeing a log entry of someone try to hack your server.
Enjoy your weekend, and if you adopt our suggestion, you might better enjoy reviewing your log files! 🙂