On Wed, May 18, 2016 at 03:25:11AM +0100, Always Learning wrote:
On Tue, 2016-05-17 at 20:12 -0400, Jonathan Billings wrote:
If you’re going to change the port, change it to something <1024. You don’t want to have sshd running on a port that a non-root user can bind to.
But if, as I suggested, the enquirer restricts access to that port to his own IP, access attempts from other IPs will fail. Ports > 1024 can be accessed by authorised non-root users using the authorised originating IP whilst preventing access from all other IPs.
That's not the point. If you bind to a port > 1024, then if your non root account is compromised (or some other non-root account), then it can start up a trojaned sshd on that port.
As others have said, might as well keep it on port 22, and just block connections from any network but what you trust. Make sure you keep your packages up to date and run SELinux enabled.