To try everything Brilliant has to offer—free—for a full 30 days, visit https://brilliant.org/DreamsofCode . You’ll also get 20% off an annual premium subscription.

This video was sponsored by Brilliant. 

If you're running a server with SSH on it, then hardening ssh is an important step to improving your system security. One approach to hardening SSH that many users perform is to change ssh off of the standard port of 22 onto something else.

In my case however, I tend not to do this, as I feel it's security through obscurity and ineffective. Not only does it not work, but, it can also cause other issues...

Become a better developer in 4 minutes: https://bit.ly/45C7a29 👈

Join this channel to get access to perks:
https://www.youtube.com/channel/UCWQaM7SpSECp9FELz-cHzuQ/join

Join Discord: https://discord.com/invite/eMjRTvscyt
Join Twitter: https://twitter.com/dreamsofcode_io

Video Links:
- Okta STO: https://www.okta.com/identity-101/security-through-obscurity/
- Privileged ports: https://www.w3.org/Daemon/User/Installation/PrivilegedPorts.html 
- Elastic Rule: https://www.elastic.co/guide/en/security/current/potential-non-standard-port-ssh-connection.html
- Fail2ban: https://github.com/fail2ban/fail2ban
- DIgital Ocean Harden SSH: https://www.digitalocean.com/community/tutorials/how-to-harden-openssh-on-ubuntu-20-04
- Shodan: https://www.shodan.io/
- GreyNoise SSH Bruteforcer: https://viz.greynoise.io/tags/ssh-bruteforcer-attempt?days=30

00:00:00 - Intro
00:00:54 - Sponsor
00:02:17 - Security through obscurity
00:03:42 - It's only a matter of time
00:05:30 - Not all ports are the same
00:07:56 - Complexity is the enemy of security
00:08:25 - Obscurity as an indentifier
00:09:05 - Port Privilege 
00:09:43 - More security issues
00:10:58 - Why I don't change the ssh port
00:11:27 - Other approaches to reduce log spam

Dreams of Code's resource offers insights, tutorials, and resources for software developers and technology enthusiasts. Readers can learn about coding best practices, software architecture patterns, and emerging technologies. With articles, tutorials, and code samples, Dreams of Code provides  guidance and expertise for building software applications and advancing technical skills.

Dreams of Code

Changing the SSH port from the default of 22 is often debated as a method to improve security. However, this practice is considered security through obscurity, which doesn't effectively enhance security. Automated tools can easily identify the new port, making the remapping ineffective. Instead, better security measures include disabling root access, forcing key-based authentication, and using tools like Fail2ban to monitor and block suspicious activities.

Why I don't change SSH from port 22

I disagree that changing the SSH port is ‘security through obscurity.’ It’s simply using a non-default port.
While I agree with the other security measures mentioned, I still encourage changing the port. It’s a zero-cost step that can prevent a ton of automated attacks on the default port.
Plus, I don’t have to see a gazillion failed attempts at each login! :)
Thanks for the content!

Or just close these ports for public access. I see no reason to make any ports like 22, 21, SQL-ports eg. open to the public. Just use UFW. Deny all traffic execpt 80/443 and open these ports only for your IP. If you have a dynamic IP, you could install VPN to access it.
Or open the IP to a static IP you usually use, like your office. Often you have some sort of VPN you can use to your office so its possible to use VPN to your office and then access the SSH-server.
Or better. Buy hosting that also provides a firewall in front of the VPS where you can open the ports trough a web-interface.
After enabling the firewall you should disable root-access and only allow SSH-authentication.
This way you can keep the well known 22 port so you don’t have to use time to configure a different port. And if you have several VPS then you know which ports that are supposed to be used without checking any eg. documentation

Change port + fail2ban after first knock-knock to 22 -&gt; win-win.

agreed, a simple scan will show that the other port is ssh. but on the other side, it will prevent a few brute force bots