I honestly don't know if this is possible or not to change when installing a new configuration. But I think it would be a great enhancement to randomly pick a port number (something above 1024) and configure SSH to be on that when setting up a new configuration. Displaying in big, very noticeable text after setting up a new server the port number that was randomly picked to people could know what their SSH port number is.

I'm new here and this is really my first time setting up Linux as a server that's publicly available. I've been doing a lot of reading and boning up on security on Linux. First thing I noticed was in less than 2 hours after a new server is up and running it's already being brute force attacked via SSH (see /var/log/auth.log)

After changing my SSH port from 22 to something else those brute force attacks have completely disappeared.

You can always change it back to 22 if you want. It seems all the security "experts" (in quotes because isn't everyone on the internet an expert ) suggest changing the port for SSH, even several Wiki articles on Linode and Slicehost.

But I guess it really depends on what type of customer is the majority for Linode. For example if I wanted to be a "host" and give my user's SSH access, I probably wouldn't change the default port as that would be one more headache of education you'd have to do with them.

On that argument, one could simply post this feature request:

Install, but do not run, the sshd server in the image. If the user wants ssh login, they can login through LISH and then enable same, setting the port to whatever they want.

Better, allow only hosts you designate to access port 22 using iptables. Cleaner, and preferred:

iptables -N SSH
iptables -A SSH -s 1.2.3.4 -j ACCEPT
iptables -A SSH -j DROP
iptables -I INPUT 1 -p tcp --dport ssh -j SSH

Alternatively (or additionally), disallowing password logins and using only key-based authentication cuts the head off the zombies. Consider fail2ban as well.

Changing the SSH port to something non-standard is typically an avoidable dilemma.

As you already noted, there's the liklihood of more support requests having to be answered were such a thing implemented. The gain for such is minimal: while it will cut down on the number of brute-force attempts done with wide-ranging scripts, it won't cut down on attempts resultant of an actual portscan (I can always fire up nmap to scan an entire network segment for any and all open services and attack based on that scan report).

The best protection for SSH (as with any service) is to run it well: require keys for logins; disable root logins of any sort; keep the software up to date with respect to security patches; set up something like fail2ban to stop the brute-forcers in their tracks. there's a number of other things you can do, too, that won't require remembering where a well known service is actually listening (and if you have multiple linodes, do you really want to have to maintain a table of which hosts listen where??).

That's dozens of extra tickets a day. Guaranteed. It's a good idea to you, but I'd wager 50% of new Linodes in that condition would automatically earn Linode a support ticket.

Given a well-selected root password, the only harm in the default configuration (PermitRootLogin yes, Port 22, sshd running on boot) is that /var/log/auth.log will grow more quickly than one would otherwise expect. If someone knows what they're doing, they'll know how to balance the risks and do what needs doing. If they don't, they'll install the next RoundCube from a tarball and get just as pwned that way.

I would very much support (and perhaps even enjoy) a "here's what you need to know about security" page somewhere in the new account or deploy process, though.

Yep, which is probably also the same reason not to change the default port.



I agree. But the vast majority of people don't have a static IP at home or even most small businesses. Otherwise, that's what I'd be doing.

Maybe a combination of a few things.

By default sshd turned off and you have to log into LISH to turn it on and it's by default running on a different port until you get things configured securely, no password access, etc.

Maybe a button in the Linode Manager to configure an image with sshd turned off by default so you can log into LISH and configure everything then turn it on. That way for those of us who are a bit more paranoid than the average person we can have it turned off so there is no possibility of remote access until we want it turned on. Of course this wouldn't be the case by default, so sshd would be on by default unless you selected the option to have it off or not installed when setting up a new server.

This would satisfy the paranoids and hopefully not create additional support tickets.

Thanks for the suggestion of fail2ban, I'll check it out.

As a newbie to a lot of this, YES!!!

I choose Linode over Slicehost for a variety of reasons, however, their documentation was NOT one of them. The documenation over at Slicehost far outweighs anything going on here.

However, these forums do seem to have a pretty strong following of some very smart people and the Linode support staff have been very quick to respond to support tickets. Though knowing their hours would be nice. It seems nobody is around at 5pm PST, but I've gotten answers first thing the next morning.

Agreed re: the documentation. So far as linux setup etc. is concerned, I've used their documentation to help guide me, and so far it's worked just fine. (I'm a noob as well.)

You can set your profile to boot in single-user mode, boot it, log in with lish, and configure sshd on your node before it ever runs.

Even with a dynamic IP you can still restrict access to SSH with iptables. Your IP isn't completely random. So you could do something like:

-A INPUT -p tcp -s 172.21.3.0/24 --dport 22 -j ACCEPT

Or:

-A INPUT -p tcp -s 172.21.0.0/16 --dport 22 -j ACCEPT

...depending on how your ISP allocates IPs. Not perfect, but even the second example eliminates the vast majority of the Internet.

Double post, sorry.

DynDNS or any of the similar tools will help in this...I've been using that for years. Most modern SOHO gateway routers also have support for such tools. Just an FYI.