Comment on Basic Security for your Website | Loudwhisper
loudwhisper@infosec.pub 1 month agoThanks! I did mention this briefly, although I belong to the school that “since I am anyway banning IPs that fail authentication a few times, it’s not worth changing the port”. I think that it’s a valid thing especially if you ingest logs somewhere, but if you do don’t choose 2222! I have added a link to shodan in the post, which shows that almost everybody who changes port, changes to 2222!
LostXOR@fedia.io 1 month ago
Yeah, I just left my SSH port as 22 since I only use key-based authentication so there's really no security risk. Plus, it's funny going through the logs and looking at all the login attempts.
loudwhisper@infosec.pub 1 month ago
Yep I agree. Especially looking at all the usernames that are tried. I do the same and the only risk come from SSH vulnerabilities. Since nobody would burn a 0-day for SSH (priceless) on my server, unattended upgrades solve this problem too for the most part.
kitnaht@lemmy.world 1 month ago
I mean we just had nvd.nist.gov/vuln/detail/CVE-2024-6387 – so my guess is that you’re updating quite often to be so confident in your unattended upgrades.
loudwhisper@infosec.pub 1 month ago
Yeah I know (I mentioned it myself in the post), but realistically there is no much you can do besides upgrading. Unattended upgrades kick in once a day and you will install the security patches ASAP. There are also virtual patches (crowdsec has a virtual patch for that CVE), but they might not be very effective.
I argue that VPN software is a smaller attack surface, but the problem still exists (CVEs) for everything you expose.