Regarding SSH Keys, I was wondering how you keep your key safe and potentially usable from another client?
Comment on How to harden against SSH brute-forcing?
phoenixz@lemmy.ca 1 year ago
Move the ssh port to higher ranges, 30-60000. That alone will stop 99% of the attacks
Disable root logins, now usernames must be guessed too which will make success even lower
Then require SSH keys
At that point it’s like being in a nuclear fallout nshelter behind a 3 meter thick steel door and you can hear some zombies scratching on the outside… I’m not worried about any of that shit
StructureOfChaos@lemmynsfw.com 1 year ago
gerowen@lemmy.world 1 year ago
Generate a unique key for each client or device. SSH keys identify devices, not people, so I do not recommend sharing the same key between two different devices.
StructureOfChaos@lemmynsfw.com 1 year ago
Well, you might have only 1 main client, but if that hardware fails and need to connect from a temporary client or after a fresh install you’re out of your own server…
a_postmodern_hat@lemmy.world 1 year ago
You could get a hardware key (like a Yubikey) and authenticate with PIV or GPG.
callcc@lemmy.world 1 year ago
Be sure to use a passphrase
StructureOfChaos@lemmynsfw.com 1 year ago
Or very strong password
null_dot@lemmy.dbzer0.com 1 year ago
This is what I do. Changing the port to a higher number will prevent almost all bots.
I understand that obscurity is not security but not getting probed is nice.
Also ssh keys are a must.
I do log in as root though.
However, I block all IPs other than mine from connecting to this port in my host’s firewall. I only need to log in from home, or my office, and in a crisis I can just log in to OVH and add whitelist my IP.
sugar_in_your_tea@sh.itjust.works 1 year ago
I do log in as root though.
Don’t do that. You’re one local piece of malware away from getting your server pwned. Logging in as an unprivileged user at least requires another exploit on the server to get root permissions.
joshcodes@programming.dev 1 year ago
For added funs run an SSH tarpit to fuck with the attackers, something like endlessh.
phoenixz@lemmy.ca 1 year ago
Well yeah, sure, but that doesn’t really add to your security and it only costs you work and resources
joshcodes@programming.dev 1 year ago
100% agree, that is a “totally for fun” exercise
possiblylinux127@lemmy.zip 1 year ago
This is a total waste of time
Changing the port is just like putting a picture of a windows on your door. Harden SSH properly and don’t waste time with security via obscurity
AustralianSimon@lemmy.world 1 year ago
I think the point behind it is to waste the sniffers time sniffing for ports that it could be using to be making attempts.
Its not a security thing, it’s just increasing the cost to snoop.
sugar_in_your_tea@sh.itjust.works 1 year ago
That’s not true.
Security through obscurity isn’t real security, sure, but it does a lot to reduce the noise in the logs so you can see the more real attacks. Hardening SSH properly is certainly more important, but changing the port also has value.