Regarding SSH Keys, I was wondering how you keep your key safe and potentially usable from another client?
Comment on How to harden against SSH brute-forcing?
phoenixz@lemmy.ca 11 months ago
Move the ssh port to higher ranges, 30-60000. That alone will stop 99% of the attacks
Disable root logins, now usernames must be guessed too which will make success even lower
Then require SSH keys
At that point it’s like being in a nuclear fallout nshelter behind a 3 meter thick steel door and you can hear some zombies scratching on the outside… I’m not worried about any of that shit
StructureOfChaos@lemmynsfw.com 11 months ago
gerowen@lemmy.world 11 months ago
Generate a unique key for each client or device. SSH keys identify devices, not people, so I do not recommend sharing the same key between two different devices.
StructureOfChaos@lemmynsfw.com 11 months ago
Well, you might have only 1 main client, but if that hardware fails and need to connect from a temporary client or after a fresh install you’re out of your own server…
a_postmodern_hat@lemmy.world 11 months ago
You could get a hardware key (like a Yubikey) and authenticate with PIV or GPG.
callcc@lemmy.world 11 months ago
Be sure to use a passphrase
StructureOfChaos@lemmynsfw.com 11 months ago
Or very strong password
null_dot@lemmy.dbzer0.com 11 months ago
This is what I do. Changing the port to a higher number will prevent almost all bots.
I understand that obscurity is not security but not getting probed is nice.
Also ssh keys are a must.
I do log in as root though.
However, I block all IPs other than mine from connecting to this port in my host’s firewall. I only need to log in from home, or my office, and in a crisis I can just log in to OVH and add whitelist my IP.
sugar_in_your_tea@sh.itjust.works 11 months ago
I do log in as root though.
Don’t do that. You’re one local piece of malware away from getting your server pwned. Logging in as an unprivileged user at least requires another exploit on the server to get root permissions.
joshcodes@programming.dev 11 months ago
For added funs run an SSH tarpit to fuck with the attackers, something like endlessh.
phoenixz@lemmy.ca 11 months ago
Well yeah, sure, but that doesn’t really add to your security and it only costs you work and resources
joshcodes@programming.dev 11 months ago
100% agree, that is a “totally for fun” exercise
possiblylinux127@lemmy.zip 11 months ago
This is a total waste of time
Changing the port is just like putting a picture of a windows on your door. Harden SSH properly and don’t waste time with security via obscurity
AustralianSimon@lemmy.world 11 months ago
I think the point behind it is to waste the sniffers time sniffing for ports that it could be using to be making attempts.
Its not a security thing, it’s just increasing the cost to snoop.
sugar_in_your_tea@sh.itjust.works 11 months ago
That’s not true.
Security through obscurity isn’t real security, sure, but it does a lot to reduce the noise in the logs so you can see the more real attacks. Hardening SSH properly is certainly more important, but changing the port also has value.