Enable SSH service and SSH port?

At the last step during installation, you have chance to disable SSH service and SSH port, which option is better for security?

No security expert, but even I know that the smaller the surface of attack, the better.

So if you don’t need to remotely log into your machine, leave it off.

You can still enable it later on, if needed.

If your systrem is behind a Router, both have the same security…
If no ssh server is running, both are the same…
If a ssh Server is running, you have to open a Port, but the above will open Port 22 as standard.
So it’s on you how secure it is by configuring your sshd.

I do not open this Port because I use a differnet Port set by the sshd_config.
This is also no more secure as the above, but I will sleep better.
Also if you are running more ssh Servers in your Home Network, it is easier to get the right one.

Security is a matter of layers tho, so the less surface you expose, the better.

If you router firewall fails for whatever reason, or you connect your machine to the Internet through an insecure gateway, you have a higher chance of being owned with sshd running than without.

Of course if you DO need to remotely log into your machine you got no choice.
But my point was, if you even have to ask whether to enable ssh at install time, I’m quite positive you DON’T, so you will gain that extra peace of mind by keeping it disabled.

But yeah if you do you can apply some hardened configuration, like not using the default port and allowing keypair auth only, among others.

Well, there are things you can do even when connected directly to the Internet (or on an insecure network, like a laptop on a public wifi network) - for example, you could use something like knockd to require pinging a set of ports in a specific order in order to open the port. Or you can open the port, but use a more advanced firewall configuration to allow incoming connections from only certain addresses.

Something that you would probably also do is disable password authentication (which is a good idea in any event) and just use public key authentication. Disabling root (I think done by default) login via SSH is also a good security practice.

1 Like

@yuwf:

Please, inspect the openSUSE “Security and Hardening Guide” – <https://doc.opensuse.org/documentation/leap/security/html/book-security/index.html>

Please, take particular note of the “Securing network operations with OpenSSH” chapter in the “Network Security” section – <https://doc.opensuse.org/documentation/leap/security/html/book-security/cha-ssh.html>


The “sshd_config” man (5) page is also quite explicit –

     PermitRootLogin
             Specifies whether root can log in using ssh(1).  The argument must be yes, prohibit-password,
             forced-commands-only, or no.  The default is yes.

             If this option is set to prohibit-password (or its deprecated alias, without-password), password and
             keyboard-interactive authentication are disabled for root.

             If this option is set to forced-commands-only, root login with public key authentication will be al-
             lowed, but only if the command option has been specified (which may be useful for taking remote backups
             even if root login is normally not allowed).  All other authentication methods are disabled for root.

             If this option is set to no, root is not allowed to log in.

BTW: I’ve checked the behaviour of restarting the systemd sshd service –

  • It recreates the DSA keys if you’ve deleted them as recommended in the Server hardening guide mentioned above …
  • But, the DSA keys are ignored by the SSH daemon default configuration anyway …

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.