"This question has been keeping me up at night. Instead of just taking advice about using VPN protocols or Cloudflare solutions, I decided to dive into the research myself. So, what did I do? I took a risk and set up a simple SSH honeypot (with some precautions). But seriously, don’t try this at home—I did it so you don’t have to, unless you really know what you’re doing ;). It’s been running for around six days now, and here are the results:
Connection attempts: 2,625 Countries list top 10:
Country
Number of Attempts
Percent
China
774
29%
India
286
11%
United Kingdom
282
11%
United States
259
10%
Russia
105
4%
France
100
4%
Hong Kong
96
4%
Singapore
67
3%
Of course, there are more countries, but that list would be quite long.
My conclusion: If you’re new to self-hosting, please use a VPN until you fully understand your attack surface. As for how SSH works, I use it at a professional level, and when you expose SSH to the internet, there will be bots attempting to access it, regardless of the port it’s on. If you must open SSH, remember to disallow root access and use only SSH keys. And remember: read the fucking manual!
TL;DR: I set up an SSH honeypot to research connection attempts, which received 2,625 attempts in six days. The top countries targeting it were China (29%), India (11%), and the UK (11%). If you’re new to self-hosting, use a VPN until you understand your attack surface. Exposing SSH attracts bots, so disallow root access and use SSH keys. And don’t forget to read the fucking manual!
It involves hitting the correct ports, using the right protocol, in the right order and following precise timing. Once done correctly, port 22 opens for the originating IP for five minutes. If no successful login occurs within that window, the port locks again. A timeout is then enforced, meaning new handshake attempts are ignored. If someone tries during the timeout, it extends exponentially. Once the timeout ends, the correct handshake must be performed again to reopen the port.
ssh is designed to be run on an open Internet port. It is one of the most secure services you can run. The default configs in OpenSSH and every Linux distro I’ve ever used are safe. Yes you can set it up in a dumb way, and these days it’s probably best to disable password access entirely or at least for root. But don’t be scared of it.
It can even be a useful tool: ssh port forwarding is a good solution to access services you are hosting but don’t trust to publish to open ports. These days I use Tailscale for that instead but ssh works too.
I’ve had SSH exposed to the internet for 25+ years without issue. Those bots look for very simple vulnerabilities or misconfigurations.
But lately I actually stopped deploying SSH altogether because I’ve switched to treating linux more like an appliance. Meaning I use ignition (or cloud-init) to setup everything I need on first boot. If I want to change something I just re-provision the server.
It might seem overkill but in most cases it works very well. They’re just container hosts anyways.
I’ve had port 22 open for about 20 years, following all the best practices. Never had a security incident. I used to install DenyHosts (and later Fail2Ban) for the fun of thwarting script kiddies, but it’s really kind of a pointless effort. Has been interesting to observe their patterns over the years, the common tables they use, and the different countries of origin.
I had my ssh on 22 port opened for several years (password disabled, root disabled, fail2ban). Didn’t see anything interesting: common user names like root, admin, wp-admin etc. with the same common passwords. Some bots are more annoying and try multiple login attempts before getting banned.
20 years of having the SSH listening to (public) IPv4, root password auth enabled (quite complex password as backup). Never had any problems.
And to be honest:During the last 20 years I’ve read 1000s of post mortem reports of successful hacks but not a single one in which SSH was used to hijack the machine. Malware-Distribution-Systems (f.e. Wordpress addons or however they are called), old outdated software, broken software and so on again and again. At least a dozen of those reports related to vulnerability in vpn software (yeah, the attacker can’t start to try out millions of passwords by connecting to the ssh but has the same access to the system as the use running the vpn server).
In lack of hard data I abstain from claiming it as factual, but I still really that an installed VPN server (in default configuration) offers more attack surface than sshd.
1000s of insects try to enter my house through my closed windows during the year, but I will not brick them up.
I am really interested to see a comparison between running ssh on port 22 vs some random port. I know some people say it doesn’t matter, but I feel that you would have less attacks
When I first got my Linode, I was uber pararoid about this very thing. I had a locked-down sshd_config, installed fail2ban, etc. That solution worked well enough, but then I realized I could just use Linode’s firewall and block inbound port 22, install Tailscale, and be done. The firewall obviously doesn’t affect the VPN, so now I can access my Linode via SSH from anywhere in the world via Tailscale without worrying about keeping bots out.
I did find it funny, however, looking at /var/log/secure: “failed login attempt by ubuntu, failed login attempt by oper, failed login attempt by admin, failed login attempt by root, failed login attempt by cisco, failed login attempt by user, so on and so on…”
Authenticator-style 2fa is really really easy to set up under linux for ssh. If you are going to ignore the ‘just use a vpn’ advice and expose ssh anyway, then use fail2ban, key-only authentication, and 2fa.
SSH is generally secure, make sure to use key pair auth, and also fail2ban. Also run it on a high number port that is not really used for any service. Less chance of being picked up by bots. This is security through obscurity, but it does actually help as far as random attackers go. They go for the low hanging fruit. It’s same idea as avoiding to put valuables in your car, it might not stop someone from breaking in anyway, but they are less likely to if they don’t see anything they want.
Of course using a VPN then requiring it to access SSH is better but also much more complex to setup at both ends.