Sorry, misunderstanding here, I’d never open SSH to the internet, I meant it as “don’t block it via your server’s firewall.”
Comment on Jellyfin over the internet
Novi@sh.itjust.works 3 weeks agoI would not publicly expose ssh. Your home IP will get scanned all the time and external machines will try to connect to your ssh port.
oong3Eepa1ae1tahJozoosuu@lemmy.world 3 weeks ago
fuckwit_mcbumcrumble@lemmy.dbzer0.com 3 weeks ago
Change the port it runs on to be stupid high and they won’t bother.
caseyweederman@lemmy.ca 2 weeks ago
Yeah hey what’s your IP address real quick? No reason
fuckwit_mcbumcrumble@lemmy.dbzer0.com 2 weeks ago
In 3 years I haven’t had a single attempted connection that wasn’t me. Once you get to the ephemeral ports nobody is scanning that high.
I’m not saying run no security or something. Just nobody wants to scan all 65k ports. They’re looking for easy targets.
mic_check_one_two@lemmy.dbzer0.com 2 weeks ago
Just nobody wants to scan all 65k ports.
Shodan has entered the chat.
Everyday0764@lemmy.zip 2 weeks ago
i have ssh on a random port and only get so many scan, so low that fail2ban never banned anyone that was not myself (accidentally).
Auli@lemmy.ca 2 weeks ago
Ssh has nothing to do with scanning. Your IP and everyone else up is being scanned constantly. In ipv4 space at least.
30p87@feddit.org 3 weeks ago
fail2ban with endlessh and abuseipdb as actions
Anything that’s not specifically my username or git gets instantly blocked. Same with correct users but trying to use passwords or failing authentication in any way.
mosiacmango@lemm.ee 2 weeks ago
Youve minimized login risk, but not any 0 days or newly discovered vulnerabilites in your ssh server software. Its still best to not directly expose any ports you dont need to regularly interact with to the internet.
Also, Look into crowdsec as a fail2ban replacement. Its uses automatically crowdsourced info to pre block IPs. A bit more proactive compared to abuseipdb manual reporting.
Thaurin@lemmy.world 2 weeks ago
I have the firewall of my VPS reject any IP range except the ones I’m on frequently, that is mobile, home and work. Sucks when you travel, but otherwise works alright.
Still exposes ports to some people on the same mobile or home internet service networks…