I now have changed the ssh config file (change port 22 to 777) and told firewall-cmd the following firewall-cmd --add-port=777/tcp --permanent
Then restarted the service (required to take the changes into effect).
It works, but still the firewall ssh service lists 22 as an open port and the firewall-cmd --list-ports show 777 as an open port.
Now it would be more elegant if I could change the ssh service port and not add addiotnal ports.
How to do this please AND are there consequences ?
Changing the port number is just obscuring the SSH service, and is not enough in that case.
Yes, NS8 does not manage the SSH service. Such service is usually already configured in the system, and it is not a requirement for NS8 to run.
It acts like Fail2Ban: it reads the system logs and bans nasty IP addresses.
For EL systems this is a brief procedure (tested on Rocky Linux 9) that opens port 2222 and restricts port 22 to trusted interfaces.
# Make sshd listen on :22 and :2222
printf "Port 22\nPort 2222\n" > /etc/ssh/sshd_config.d/10-ports.conf
# Authorize sshd to listen port 2222
semanage port -a -t ssh_port_t -p tcp 2222
# Change Firewalld SSH service configuration to use port 2222
firewall-cmd --permanent --service=ssh --add-port=2222/tcp
firewall-cmd --permanent --service=ssh --remove-port=22/tcp
# Restart service and apply new firewall configuration
systemctl restart sshd
Some commands to check the above configuration status
# Print Firewalld configuration for SSH service
# Print locally customized SELinux ports
semanage port -l -C
Full node firewall status is available also from the Nodes page
And I don’t think Crowdsec should be the only answer for “increase host security” (which might be uncorrect as term for indicating the master node); not everyone will consider to install public-facing application servers.
It’s fine not considering this a viable feature, however… consider the effort to realize a “NS8 friendly” procedure for all suggested/supported underlying distros.
Obscuring or not, i just can confirm from many years of running sshd on ns7 on a non standard port, it is minimizing login attempts by a factor 10 when using a non standard port under 1024 and by a factor 25 when using a non standard port above 1024.
I would say it is a no-brainer to change the sshd port to a (large) non standard port.
Fail2ban will take care of all those other attempts