Comment

Comment on Basic Security for your Website | Loudwhisper

Good read.

I would just like to add some additional information that favors changing your SSH port to something other than the default. When crawlers are going around the internet looking for vulnerable SSH servers, they’re more than likely going to have an IP range and specifically look for port 22.

Now can they go through and scan your IP and all of its ports to look for the SSH service? Yes. But you will statistically have less interactions with bad actors this way since they might specifically be looking for port 22.

source

Sort:hotnew top

loudwhisper@infosec.pub ⁨3⁩ ⁨months⁩ ago
Thanks! I did mention this briefly, although I belong to the school that “since I am anyway banning IPs that fail authentication a few times, it’s not worth changing the port”. I think that it’s a valid thing especially if you ingest logs somewhere, but if you do don’t choose 2222! I have added a link to shodan in the post, which shows that almost everybody who changes port, changes to 2222!

source
- LostXOR@fedia.io ⁨3⁩ ⁨months⁩ ago
  Yeah, I just left my SSH port as 22 since I only use key-based authentication so there's really no security risk. Plus, it's funny going through the logs and looking at all the login attempts.
  
  source
  - loudwhisper@infosec.pub ⁨3⁩ ⁨months⁩ ago
    Yep I agree. Especially looking at all the usernames that are tried. I do the same and the only risk come from SSH vulnerabilities. Since nobody would burn a 0-day for SSH (priceless) on my server, unattended upgrades solve this problem too for the most part.
    
    source
    kitnaht@lemmy.world ⁨3⁩ ⁨months⁩ ago
    I mean we just had nvd.nist.gov/vuln/detail/CVE-2024-6387 – so my guess is that you’re updating quite often to be so confident in your unattended upgrades.
    
    source
    -> View More Comments
JustEnoughDucks@feddit.nl ⁨3⁩ ⁨months⁩ ago
There is one meet trick: don’t expose SSH.

There is still not a reason anyone has been able to give for 99% of self-hosters to expose SSH.

If you need to access your machine via ssh while on the go. Wireguard to your local network, use SSH. Done. Unless you are running an always-up public facing site, the amount of times you have to access your machine that can’t wait until after work is very low anyway.

Bots will scan all ports. That is just how it works. Less than 22, but you will still get spammed. Why force your computer to go through the fail2ban loop and take up resources when it is simply not needed at all and you can block it on another machine?

source
- 9tr6gyp3@lemmy.world ⁨3⁩ ⁨months⁩ ago
  This blog is specifically for websites that are public facing. Not sure if your comment applies at all tbh.
  
  source
- loudwhisper@infosec.pub ⁨3⁩ ⁨months⁩ ago
  Comfort is the main reason, I suppose. If I mess up Wireguard config, even to debug the tunnel I need to go to the KVM console. It also means that if I go to a different place and I have to SSH into the box I can’t plug my Yubikey and SSH from there. It’s a rare occurrence, but still…
  
  Ultimately I do understand both point of view. The thing is, SSH bots pose no threats after the bare minimum hardening for SSH has been done. The resource consumption is negligible, so it has no real impact.
  
  To me the tradeoff is slight inconvenience vs slightly bigger attack surface (in case of CVEs). Ultimately everyone can decide which compromise is acceptable for them, but I would say that the choice is not really a big one.
  
  source