The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Changing SSH port, binding to one IP... good or bad idea?

Discussion in 'Bind / DNS / Nameserver Issues' started by Gliebster, Aug 4, 2003.

  1. Gliebster

    Gliebster Active Member

    Joined:
    Jul 17, 2002
    Messages:
    25
    Likes Received:
    0
    Trophy Points:
    1
    I read that changing SSH's port (in /etc/ssh/sshd_config) from 22 to a random high port is good for security. I tried it, restarted OpenSSH, and got the message below. I was still able to SSH back in and change the port back to 22.

    Is this a good or bad idea while using cPanel?

    Also, when people suggest "binding SSH to one IP" for security, what good does that do? I suppose it would keep people from knowing where to start their hacking but wouldn't it prevent users from logging in with theirdomain.com?

    cPanel.net Support Ticket Number:
     
  2. rogcan

    rogcan Well-Known Member

    Joined:
    Jun 7, 2004
    Messages:
    48
    Likes Received:
    0
    Trophy Points:
    6
    I know this is an old post but does anyone have an answer for this ???

    I had the exact same question so i thought it was best to keep this one updated.
     
  3. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Digging up 3 year old threads isn't usually a good idea :)

    That said, changing the SSH daemon port to a high random number is indeed a good idea and usually means that SSH port scans from script kiddies pass you by. Binding to a specific IP address is also a good idea as it means that you're reducing the likelyhood of an SSH port attack by the number of IP's on the server less the one it is on - i.e. smaller target.

    Restarting SSHD in WHM will always how an error if you run it on a non-standard port.
     
  4. Lyttek

    Lyttek Well-Known Member

    Joined:
    Jan 2, 2004
    Messages:
    770
    Likes Received:
    3
    Trophy Points:
    18
    Since we're on the un-dead subject... a friend mentioned he changed SSH to port 21 to confuse the port scanners... not sure how I feel about that. Thoughts?
     
  5. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Obviously you would have to disable/move FTP to do that. However, the port is still going to be bombarded with FTP exploit scans so it's usually a better idea to run it on an ephemeral port (>1024).
     
Loading...

Share This Page