I have a NAS I wish to change the ssh port from 22 to something else. How do I go about selecting a good port number? Thanks.
On Fri, 2025-01-24 at 11:40 -0500, Lester Petrie wrote:
I have a NAS I wish to change the ssh port from 22 to something else. How do I go about selecting a good port number?
Look at the standard ports in /etc/services and choose something different. Depending on access control to the NAS, you might want to choose something below 1023.
poc
On Fri Jan24'25 04:54:36PM, Patrick O'Callaghan wrote:
From: Patrick O'Callaghan pocallaghan@gmail.com Date: Fri, 24 Jan 2025 16:54:36 +0000 To: users@lists.fedoraproject.org Reply-To: Community support for Fedora users users@lists.fedoraproject.org Subject: Re: OT: How to select a new port number for ssh
On Fri, 2025-01-24 at 11:40 -0500, Lester Petrie wrote:
I have a NAS I wish to change the ssh port from 22 to something else. How do I go about selecting a good port number?
Look at the standard ports in /etc/services and choose something different. Depending on access control to the NAS, you might want to choose something below 1023.
poc
I have not done this for a while, but I have my port set to a nonstandard number. Btw, I was always given to believe that moving it from 22 was the right thing to do because that was the most obvious port to attack.
Anyway, in the past, I had to do this (per some helpful instructions from this mailing list) sort of from long ago when firewalld was introduced in Fedora.
I last did this about a year (or two) ago, and it worked then.
From my notes:
# sudo semanage port -p tcp -a -t ssh_port_t ******
# where ****** is the port number desired
### get into system-config firewall and open the port ****** for tcp (I do not have to do this).
# add the port number ****** in /etc/ssh/sshd_config replacing Port 22 (default)
# Now, doing the same using firewalld (not sure if the above has to be done, but the latter has to be done):
sudo dnf install firewall-config
# Start firewall-config.
# At the top, notice there is a drop down menu. Pull down and select "Permanent"
# Select the Services Tab and then Edit Services.
# Find the ssh entry and click +Add
# Add the port you want
# Click on the "Reload firewalld" under "Options"
# You're done
# # Note that you will need to change the port number in /etc/sshd_config if not done earlier:
sudo systemctl enable sshd.service
I am not sure if these help you, but they are what I have always done when I need a machine (for the past 10-15 years) with incoming ssh.
HTH,
Ranjan
Once upon a time, Lester Petrie lmpetrie@bellsouth.net said:
I have a NAS I wish to change the ssh port from 22 to something else. How do I go about selecting a good port number?
If it's IPv4 and exposed to the Internet, moving to a different port isn't really doesn't do much to secure it; it's not all that hard to scan for SSH on any port (and people do, and it will be found). If it's not exposed... why move it? It just makes an extra hassle when connecting.
Basically, moving known services to alternate ports is rarely a good or useful idea.
On 1/24/2025 12:03 PM, Chris Adams wrote:
Once upon a time, Lester Petrie lmpetrie@bellsouth.net said:
I have a NAS I wish to change the ssh port from 22 to something else. How do I go about selecting a good port number?
If it's IPv4 and exposed to the Internet, moving to a different port isn't really doesn't do much to secure it; it's not all that hard to scan for SSH on any port (and people do, and it will be found). If it's not exposed... why move it? It just makes an extra hassle when connecting.
Basically, moving known services to alternate ports is rarely a good or useful idea.
I am pretty sure my router is blocking the access, but it records the attempts in its log. Probably 98-99 percent of the log is these attempts. I want to see what happens to the log if I change the port. Since I am the only one who should be accessing the NAS with ssh, and that is very rarely, I don't mind the extra hassle.
On Fri, Jan 24, 2025 at 12:17 PM Lester Petrie lmpetrie@bellsouth.net wrote:
On 1/24/2025 12:03 PM, Chris Adams wrote:
Once upon a time, Lester Petrie lmpetrie@bellsouth.net said:
I have a NAS I wish to change the ssh port from 22 to something else. How do I go about selecting a good port number?
If it's IPv4 and exposed to the Internet, moving to a different port isn't really doesn't do much to secure it; it's not all that hard to scan for SSH on any port (and people do, and it will be found). If it's not exposed... why move it? It just makes an extra hassle when connecting.
Basically, moving known services to alternate ports is rarely a good or useful idea.
I am pretty sure my router is blocking the access, but it records the attempts in its log. Probably 98-99 percent of the log is these attempts. I want to see what happens to the log if I change the port. Since I am the only one who should be accessing the NAS with ssh, and that is very rarely, I don't mind the extra hassle.
Typically what you do in this case is use NAT to map an external port, like 222, to an internal host and port, like myhost.home.arpa:22. The mapping occurs on your router.
I use a similar strategy to allow others to test on my internal network. Ports 1520 through 1535 on my router map to different hosts on my internal network, but SSH runs on port 22 on each of the internal hosts.
Jeff
On 24 Jan 2025, at 17:17, Lester Petrie lmpetrie@bellsouth.net wrote:
I want to see what happens to the log if I change the port.
It is easy to scan all 64k ports to find sshd. So you should expect no change in attacks. If you leave a secured sshd on 22 the scripts tend to give up faster, which lowers the overhead on your systems.
Barry
Once upon a time, Lester Petrie lmpetrie@bellsouth.net said:
I am pretty sure my router is blocking the access, but it records the attempts in its log.
If it's blocking and logging, then it won't matter if you move the port or even turn off the NAS, the connection attempts will still hit the firewall (because Internet).
Since I am the only one who should be accessing the NAS with ssh, and that is very rarely, I don't mind the extra hassle.
That's IMHO a worse case, because if it's rarely accessed, it's that much harder to remember the alternate port.