I have a server where I believe I have disabled root login via ssh. I think it is done correctly, as I cannot login with root myself via ssh, but I would’ve thought that it would be reflected in /var/log/auth.log. Instead, it shows up as failed password entry. Is this intended?
What I’ve done is to uncomment the PermitRootLogin no line in /etc/ssh/sshd_config. Rest of the config file is left at default.
Bonus question: All login attempts by ssh seems to go over some random port (even my own successful logins). Why is this?
That all sounds correct to me. The random port you’re seeing in the logs is a high port, often referred to as an ephemeral port, and it is common for source ports. All good there.
Ok, thanks - so if I understand correctly then, it is listening on port 22 as a default, and not accepting traffic on any port.
That brings of the question: wouldn’t I be better off changing the SSH-port? And is that so easy as to uncomment the
#Port 22line in the config file and changing the port number to something random, and saving that somewhere? Would I then be able to connect by runningssh myuser@mydomain.com:, or would I need to do anything else to successfully connect?You would need to specify the new port when using ssh (using the -p$PORT option). Just keep in mind that security through obscurity is not considered secure in itself. You could instead consider a service like fail2ban that automatically blocks connections from certain sources depending on your set parameters.