May 04, 2005, 8:26 AM — If shutting off telnet access and insisting that all system-to-system connections use ssh isn't enough to toughen your system's hide, here's another way to make your servers just a little more difficult to access -- run ssh on a non-standard port. Unless unwelcome users are pointing port scanners at the system to detect active ports, they are not likely to figure out why they're not able to log in. While there are, of course, many ways to prevent normal users from logging into a system, this is one which provides a way to reduce access to a system while changing almost nothing about its configuration.
SSH servers almost always run on port 22. That port is, after all, the well known port that is assigned to the service. If you're not feeling particularly devious, you might run the service on port 2222 instead or you might run it on some seemingly random number such as 9140 or 6188. Any unused port above 1024 (and below 65537) will do.
To change the port that ssh runs on, edit its configuration file. You might find this file in /etc/ssh or /usr/local/etc/ssh or a similar directory. To make the switch, all you need to do is change the line that reads "Port 22" or "#Port 22" (a commented-out port indicates that the default port will be used) to your new value and then restart your ssh daemon, sshd.
Once ssh is running on a non-standard port, connection attempts to the system will fail with messages such as these:
boson> ssh fermion ssh: connect to address ::1 port 22: Connection refused ssh: connect to address 127.0.0.1 port 22: Connection refused
Most visitors will simply assume that the system is not in its normal multiuser mode or that ssh has been disabled entirely. Meanwhile, the group of people to whom the new port has been divulged can gain access to the system by using modified ssh commands.
To log into a system that is running ssh on an unusual port, include the port number in the ssh command like this:
boson> ssh -p 6188 fermion
The -p argument should specify the port that ssh is listening on. The scp command to use when your ssh daemon is running on an unusual port uses a similar syntax but, for some inexplicable reason, uses a capitalized P instead of a lowercase p to specify the connection port. An scp command for an unusual ssh port would, therefore, look something like this:
boson> scp -P 6188 fermion:/opt/data/config.conf .
If the group of people to whom you have provided the port have a hard time remembering to type the -p and -P arguments with their ssh and scp commands, you can advise them to establish an alias to accommodate the change. For example, typing this command in bash or related shells with redefine ssh to include the odd port number:
boson> alias ssh="ssh -p 6188"
This command does the same sort of thing for scp:
boson> alias scp="scp -P 6188"
With these aliases in place, your users can then go back to typing their regular commands.
