Comment on How can I keep my forwarded port secure?
mark3748@sh.itjust.works 2 months ago
Why is port 22 open? Is this on your router as well or just the server?
This is SSH, which you should pretty much never have open (to the internet! Local is fine) MC is by default 25565. You will have every bot on the internet probing that port.
i_am_not_a_robot@discuss.tchncs.de 2 months ago
Having SSH open to the internet is normal. Don’t use password authentication with weak passwords.
teawrecks@sopuli.xyz 2 months ago
Normal for who? I wouldn’t expose SSH on 22 to the internet unless you have someone whose full time job is monitoring it for security and keeping it up to date. There are a whole lotta downsides and virtually no upsides given that more secure alternatives have almost zero overhead.
i_am_not_a_robot@discuss.tchncs.de 2 months ago
Shodan reports that 35,780,216 hosts have SSH exposed to the internet.
Moving SSH to ports other than 22 is not security. The bots trying port 22 on random addresses with random passwords don’t have a chance of getting in unless you’re using password authentication with weak passwords or your SSH is very old.
SSH security updates are very infrequent and it takes practically no effort to keep SSH up to date. If you’re using a stable distribution, just enable automatic security updates.
lud@lemm.ee 2 months ago
Moving to another port isn’t a bad idea though. It gives you cleaner logs which is nice.
JustEnoughDucks@feddit.nl 2 months ago
To be fair, if something is open by default or very easy to enable without informing about the risks, tons of people will have it exposed without thinking.
It isn’t that “tons of people do it so it is normal and perfectly fine” but more “people don’t realize.” It also uses some nontrivial amount of resources to process and block those attempts, even if they never have a chance of getting in.
There is yet a reason I can find to have it forwarded for home use. Need to ssh into a machine to fix it? VPN.
There are plenty of secure web-based tools to manage your server without a VPN also.
keyez@lemmy.world 2 months ago
I had it open for a web server for 2.5 years because I was lazy and my IP changed a lot and I traveled and didn’t have a VPN setup and never had any issues as far as I could tell. Disabled password and root auth but was also fine with wiping that server if there were issues. It’s certainly not recommended but isn’t immediately always going to be an issue
atzanteol@sh.itjust.works 2 months ago
ssh is one of the most secure servers you can run. The tailscale propaganda is crazy in this community.
Manifish_Destiny@lemmy.world 2 months ago
Not for people who are asking questions about port forwarding
Trainguyrom@reddthat.com 2 months ago
For public facing only use key based authentication. Passwords have too much risk associated for public facing ssh
IphtashuFitz@lemmy.world 2 months ago
If you have ssh open to the world then it’s better to disable root logins entirely and also disable passwords, relying on ssh keys instead.
piccolo@ani.social 2 months ago
I dont expose ssh to the internet. I expose wireguard. If you want ssh youll have to break my wiregaurd key and my ssh key.