Comment

Comment on How to harden against SSH brute-forcing?

Move the ssh port to higher ranges, 30-60000. That alone will stop 99% of the attacks

Disable root logins, now usernames must be guessed too which will make success even lower

Then require SSH keys

At that point it’s like being in a nuclear fallout nshelter behind a 3 meter thick steel door and you can hear some zombies scratching on the outside… I’m not worried about any of that shit

source

Sort:hotnew top

joshcodes@programming.dev ⁨1⁩ ⁨week⁩ ago
For added funs run an SSH tarpit to fuck with the attackers, something like endlessh.

source
- phoenixz@lemmy.ca ⁨1⁩ ⁨week⁩ ago
  Well yeah, sure, but that doesn’t really add to your security and it only costs you work and resources
  
  source
  - joshcodes@programming.dev ⁨1⁩ ⁨week⁩ ago
    100% agree, that is a “totally for fun” exercise
    
    source
null_dot@lemmy.dbzer0.com ⁨1⁩ ⁨week⁩ ago
This is what I do. Changing the port to a higher number will prevent almost all bots.

I understand that obscurity is not security but not getting probed is nice.

Also ssh keys are a must.

I do log in as root though.

However, I block all IPs other than mine from connecting to this port in my host’s firewall. I only need to log in from home, or my office, and in a crisis I can just log in to OVH and add whitelist my IP.

source
- sugar_in_your_tea@sh.itjust.works ⁨1⁩ ⁨week⁩ ago
  
  I do log in as root though.
  
  Don’t do that. You’re one local piece of malware away from getting your server pwned. Logging in as an unprivileged user at least requires another exploit on the server to get root permissions.
  
  source
StructureOfChaos@lemmynsfw.com ⁨1⁩ ⁨week⁩ ago
Regarding SSH Keys, I was wondering how you keep your key safe and potentially usable from another client?

source
- callcc@lemmy.world ⁨1⁩ ⁨week⁩ ago
  Be sure to use a passphrase
  
  source
  - StructureOfChaos@lemmynsfw.com ⁨1⁩ ⁨week⁩ ago
    Or very strong password
    
    source
- a_postmodern_hat@lemmy.world ⁨1⁩ ⁨week⁩ ago
  You could get a hardware key (like a Yubikey) and authenticate with PIV or GPG.
  
  source
- gerowen@lemmy.world ⁨1⁩ ⁨week⁩ ago
  Generate a unique key for each client or device. SSH keys identify devices, not people, so I do not recommend sharing the same key between two different devices.
  
  source
  - StructureOfChaos@lemmynsfw.com ⁨1⁩ ⁨week⁩ ago
    Well, you might have only 1 main client, but if that hardware fails and need to connect from a temporary client or after a fresh install you’re out of your own server…
    
    source
possiblylinux127@lemmy.zip ⁨1⁩ ⁨week⁩ ago
This is a total waste of time

Changing the port is just like putting a picture of a windows on your door. Harden SSH properly and don’t waste time with security via obscurity

source
- sugar_in_your_tea@sh.itjust.works ⁨1⁩ ⁨week⁩ ago
  That’s not true.
  
  Security through obscurity isn’t real security, sure, but it does a lot to reduce the noise in the logs so you can see the more real attacks. Hardening SSH properly is certainly more important, but changing the port also has value.
  
  source
- AustralianSimon@lemmy.world ⁨1⁩ ⁨week⁩ ago
  I think the point behind it is to waste the sniffers time sniffing for ports that it could be using to be making attempts.
  
  Its not a security thing, it’s just increasing the cost to snoop.
  
  source