I have a server where I believe I have disabled root login via ssh. I think it is done correctly, as I cannot login with root myself via ssh, but I would’ve thought that it would be reflected in /var/log/auth.log. Instead, it shows up as failed password entry. Is this intended?
What I’ve done is to uncomment the PermitRootLogin no line in /etc/ssh/sshd_config. Rest of the config file is left at default.
Bonus question: All login attempts by ssh seems to go over some random port (even my own successful logins). Why is this?
It’s recommended you keep the default port because as soon as your IP is known it takes less than 5 minutes to scan every port for an ssh port
Fair point! I first thought that would be good, as it would discourage all those random connections. My guess is that they won’t bother spending 5 minutes on each server, and instead just move on to the next when they fail. But then I realized that I don’t really care about those anyway as they’re not getting anywhere with their root:mypassword login attempts.