Sorry, misunderstanding here, I’d never open SSH to the internet, I meant it as “don’t block it via your server’s firewall.”
Comment on Jellyfin over the internet
Novi@sh.itjust.works 2 months agoI would not publicly expose ssh. Your home IP will get scanned all the time and external machines will try to connect to your ssh port.
oong3Eepa1ae1tahJozoosuu@lemmy.world 2 months ago
fuckwit_mcbumcrumble@lemmy.dbzer0.com 2 months ago
Change the port it runs on to be stupid high and they won’t bother.
caseyweederman@lemmy.ca 2 months ago
Yeah hey what’s your IP address real quick? No reason
fuckwit_mcbumcrumble@lemmy.dbzer0.com 2 months ago
In 3 years I haven’t had a single attempted connection that wasn’t me. Once you get to the ephemeral ports nobody is scanning that high.
I’m not saying run no security or something. Just nobody wants to scan all 65k ports. They’re looking for easy targets.
mic_check_one_two@lemmy.dbzer0.com 2 months ago
Just nobody wants to scan all 65k ports.
Shodan has entered the chat.
Everyday0764@lemmy.zip 2 months ago
i have ssh on a random port and only get so many scan, so low that fail2ban never banned anyone that was not myself (accidentally).
Auli@lemmy.ca 2 months ago
Ssh has nothing to do with scanning. Your IP and everyone else up is being scanned constantly. In ipv4 space at least.
30p87@feddit.org 2 months ago
fail2ban with endlessh and abuseipdb as actions
Anything that’s not specifically my username or git gets instantly blocked. Same with correct users but trying to use passwords or failing authentication in any way.
mosiacmango@lemm.ee 2 months ago
Youve minimized login risk, but not any 0 days or newly discovered vulnerabilites in your ssh server software. Its still best to not directly expose any ports you dont need to regularly interact with to the internet.
Also, Look into crowdsec as a fail2ban replacement. Its uses automatically crowdsourced info to pre block IPs. A bit more proactive compared to abuseipdb manual reporting.
Thaurin@lemmy.world 2 months ago
I have the firewall of my VPS reject any IP range except the ones I’m on frequently, that is mobile, home and work. Sucks when you travel, but otherwise works alright.
Still exposes ports to some people on the same mobile or home internet service networks…