Improve security by changing the SSH listening port

This is a simple change that can, in my opinion, greatly improve security on a server or desktop system with openssh-server installed. By simple changing the listening port from the default 22 to another value will reduce the brute-force SSH attacks on a system thereby freeing up resources and reducing the chance of the system being compromised.

Unlike other system services, moving SSH to another port is often trivial to administrators and users alike. Moving an HTTP server to another port wouldn’t do any good, but with SSH it’s easy to communicate with users the new port and most SSH clients (including SCP and SFTP clients) make it easy to select an alternative port. As soon as the port is changed brute-force attacks will stop, thereby not wasting system resources on those logins without having to install additional software or setup firewall rules to stop the flood of login requests. In my experience once the port is changed I don’t see any more break-in attempts on those systems but if I did I would know that the attacker has taken enough interest to learn about the new port and target it which informs me to take such cracking attempts more seriously.

To change the port in openssh-server the file /etc/ssh/sshd_config just needs to have the line Port 22 changed to Port 12345 where 12345 is the new port to listen on. The service can then be restarted by issuing the command sudo /etc/init.d/ssh restart. Of course any firewall rules on the system or between the system and the users may have to be updated as well to reflect this change.

While there are certainly many other ways to deal with brute-force SSH attacks I find that this simple method is the most effective and easiest to implement and have had no complaints from users. It could easily be combined with other methods (the fail2ban package or iptables rules) should an attack occur on the alternate port. Still I think just changing the port is a great solution for desktop users and server administrators whose systems have few users. This change is a simple and effective way to improve a system’s security and prevent an unnecessary drain on its resources.