I have a server where I believe I have disabled root login via ssh. I think it is done correctly, as I cannot login with root myself via ssh, but I would’ve thought that it would be reflected in /var/log/auth.log. Instead, it shows up as failed password entry. Is this intended?

What I’ve done is to uncomment the PermitRootLogin no line in /etc/ssh/sshd_config. Rest of the config file is left at default.

Bonus question: All login attempts by ssh seems to go over some random port (even my own successful logins). Why is this?

  • PseudoSpock@lemmy.dbzer0.com
    link
    fedilink
    arrow-up
    1
    ·
    1 year ago

    Let us see, shall we?

    ssh root@cyberwolfie.com
    
    ❯ cowsay Uh-oh
     _______ 
    < Uh-oh >
     ------- 
            \   ^__^
             \  (oo)\_______
                (__)\       )\/\
                    ||----w |
                    ||     ||
    

    ;)

  • StarkZarn@infosec.pub
    link
    fedilink
    English
    arrow-up
    0
    ·
    1 year ago

    That all sounds correct to me. The random port you’re seeing in the logs is a high port, often referred to as an ephemeral port, and it is common for source ports. All good there.

    • cyberwolfie@lemmy.mlOP
      link
      fedilink
      arrow-up
      0
      ·
      1 year ago

      Ok, thanks - so if I understand correctly then, it is listening on port 22 as a default, and not accepting traffic on any port.

      That brings of the question: wouldn’t I be better off changing the SSH-port? And is that so easy as to uncomment the #Port 22 line in the config file and changing the port number to something random, and saving that somewhere? Would I then be able to connect by running ssh myuser@mydomain.com:, or would I need to do anything else to successfully connect?

      • siph@feddit.de
        link
        fedilink
        arrow-up
        1
        ·
        1 year ago

        You would need to specify the new port when using ssh (using the -p$PORT option). Just keep in mind that security through obscurity is not considered secure in itself. You could instead consider a service like fail2ban that automatically blocks connections from certain sources depending on your set parameters.

  • auth@lemmy.ml
    link
    fedilink
    arrow-up
    1
    arrow-down
    1
    ·
    1 year ago

    Did you restart the server after you made the config change?