How to hide SSH access on public web server? [closed]

Question

I'm renting a VPS and right now it is being used as my web server and MySQL database. When renting a VPS, they give you SSH access to it. Is there a way for me to hide (make it seem like it doesn't exists) SSH and MySQL outside connections except for my own?

I don't want public users to see that SSH is enabled even though they probably won't guess the password.

Answer 1

mysql: you could maybe forbid connections except from localhost, and use ssh port forwarding to remotely access your database

ssh: use a non-standard port and switch to public key authentication. You will have to leave a port open anyway.

Fail2ban may be worth trying. It will block connections to your machine from a given address after repeated failures.

Answer 2

You can use Port knocking to hide SSH. I would close down the mysql port and use a SSH tunnel for this.

Answer 3

Install a port-knock daemon. It looks for "special "knock" sequences of port-hits" and then opens the firewall like you want it.

knock myserver.example.com 123:tcp 456:udp 789:tcp

Answer 4

If you're accessing the server from only one address (or very few addresses), you can add a firewall rule to block any access from anything other than those addresses. However, if you're going to be accessing the site from (say) your cellphone, you can't do this, as your cell is highly likely to be behing a NAT firewall and you can't predict what the external IP would be.

You can also move SSH onto something other than the default port 22 to block the "stupid" ssh attack scanners, though that won't stop dedicated port scanners.

Answer 5

Some thoughts...

• You could run sshd on a non-standard port. Port-scanners will be able to notice it, but the scripts that just bang on port 22 won't see it.
• You could configure it to only allow connections from specified hosts (better to do this at the firewall level, come to think of it). This would limit your ability to log onto it from anywhere but would allow sshd to immediately reject connections from any place other than the specified hosts.

Answer 6

I think the best two options are:

1. Hide the servers behind a firewall and use a VPN to communicate.
2. Change the port numbers to something random so they won't be detected by a default port scan.

Answer 7

Today we rely more on browser based sessions as they tend to be more secure thanks to modern browsers' sandboxing and generally higher security level, freely available auto-renewable SSL certificates, and well understood MFA systems.

Web based SSH terminals are common, and they can be protected by federated authentication (OAUTH/SAML/OIDC) identity providers (also available for free! Auth0, DUO, but also Google, Github, etc) and easily complemented with multi factor authentication.

A good implementation of this concept comes for free if you have a Linode VPS: it's called the LISH (Linode Shell). Provided both as text based (Weblish) and canvas based (Glish).

If you are not on Linode, you can host your own Apache Guacamole which is equally great. And of course, it comes with SAML, OIDC, TOTP MFA, etc.