Policies regarding access to your ssh port?

2»

Comments

  • Setting "UsePAM no" can have undesired effects at least on RH distros
    Also, you'd prefer to pick a privileged port (<1024)

  • Non-standard port
    No root login
    No password
    Fail2ban
    Banning every IP that connects to port 22 twice in 10 minutes (twice, because I locked myself out once).

  • edited March 2022

    For me:

    • Disable root login
    • Enable Fail2Ban
    • Use a strong password and nonstandard username

    I find this is usually sufficient for most cases.

    Changing the port number never made sense to me. I could easily just port scan the rest of your host to find a open SSH daemon on another port anyways. Unless you take the time to set up a firewall that has port scan blocking enabled.

    Cheap dedis are my drug, and I'm too far gone to turn back.

  • Port 22, IPV4, Allow all IPs , Use Fail2ban to protect my machine.

    My virtualized amusement park: https://github.com/oneclickvirt

  • AmitzAmitz OG
    edited March 2022

    Just be handsome & respectful and you can access all of my „ports“ whenever you like. <3

    But seriously… In my case:
    Disabled root login
    Key based access only
    Fail2Ban

    Amitz, a very stable genius (it's true!) and Grand Rectumfier of the official LESLOS® (LES League of Shitposters).
    Certified braindead since 1974 and still perfectly happy.

  • Depends on the server.

    For multi-user/shared access stuff, generally non-standard port & enforcing key-based auth is good enough.

    I have some shared hosting setups for friends/family/clients which needs pw auth so I'll do non-standard port + fairly aggressive fail2ban rules.

    I've been getting a lot more firewall-happy in my old age though - the less that's exposed, the better, with how often zero days drop and things can get popped in an instant.

    My DNS servers only need port 53 exposed publicly, so that's all that's open to the world. SSH, control panel ports, API endpoints, even IMAP/SMTP ports on some mail servers, etc can all be firewalled to a set of IPs I know I'll have access to (2 common IPs like my main VPNs, plus a cheap VM with a reliable provider).

    🦍🍌

  • For you guys that use Fail2Ban. I'm intrigued to know if you still see a lot of blocked brute force activity, and by 'a lot' I mean enough to warrant bothering with Fail2Ban.

    I used to use it years ago when 'bashing down the door' style probes would actually slow the system noticeably and fill up auth logs, but these days all I see are low and slow probes from multiple IP addresses much of which would evade F2B anyway.

    Sure the log files fill up a little bit, but without a performance/disk impact it doesn't seem worth worrying about if you've disabled password authentication.

    I suspect a reason for that is modern probe tools probably take better notice of the 'Authentications that can continue: publickey' responses and go elsewhere if 'password' clearly isn't an option.

    Just wondering if I'm lucky, as I haven't seen an impactful SSH probe in years, on a number of public facing servers.

  • @skorupion said:

    @lapua said:

    @FAT32 said:
    Port 22, Root login, Password only, Allow all IPs

    #YOLO

    not recommended?

    who cares! Most people do it this way and don't have backups, then cry bc their data be gone, but once again WHO CARES LOLZ?

    This can be considered good, as long as you use a very long and extremely complex password, preferably something generated by random.org or other randomization.

    Stop the planet! I want to get off!

  • Non standard port. Pub key only. Disable password. Scanning won't do any harm.

  • gentlemen, is this script recommended? if you use key-based access, which keys and which bit-lengths should you use? RSA/DSA/ECDSA/EdDSA SSH-1 (RSA)

  • @lapua said:

    gentlemen, is this script recommended? if you use key-based access, which keys and which bit-lengths should you use? RSA/DSA/ECDSA/EdDSA SSH-1 (RSA)

    ED25519

    Here is a nice article https://medium.com/risan/upgrade-your-ssh-key-to-ed25519-c6e8d60d3c54

    Thanked by (1)lapua
  • Ed448 also good or only for paranoids?

  • skorousskorous OGSenpai

    The problem with ed25519 is that not everything supports it and it's annoying to have to support two keys.

  • @lapua said:

    gentlemen, is this script recommended? if you use key-based access, which keys and which bit-lengths should you use? RSA/DSA/ECDSA/EdDSA SSH-1 (RSA)

    how can you undo a key procedure that has been set up?

  • @lapua said:
    https://mrpsycho.pl/cheatsheets/Bash-script-for-disabling-password-login/

    gentlemen, is this script recommended? if you use key-based access, which keys and which bit-lengths should you use? RSA/DSA/ECDSA/EdDSA SSH-1 (RSA)

    In this line:

    sed -i '/PasswordAuthentication/c\PasswordAuthentication no' $CONF_FILE
    

    This command would match the following snippet in the default sshd_config content:

    # Set this to 'yes' to enable PAM authentication, account processing,
    # and session processing. If this is enabled, PAM authentication will
    # be allowed through the ChallengeResponseAuthentication and
    # PasswordAuthentication.  Depending on your PAM configuration,
    # PAM authentication via ChallengeResponseAuthentication may bypass
    # the setting of "PermitRootLogin without-password".
    # If you just want the PAM account and session checks to run without
    # PAM authentication, then enable this but set PasswordAuthentication
    # and ChallengeResponseAuthentication to 'no'.
    UsePAM yes
    

    and change it to:

    # Set this to 'yes' to enable PAM authentication, account processing,
    # and session processing. If this is enabled, PAM authentication will
    # be allowed through the ChallengeResponseAuthentication and
    # PasswordAuthentication.  Depending on your PAM configuration,
    # PAM authentication via ChallengeResponseAuthentication may bypass
    # the setting of "PermitRootLogin without-password".
    # If you just want the PAM account and session checks to run without
    PasswordAuthentication no
    # and ChallengeResponseAuthentication to 'no'.
    UsePAM yes
    

    which results in a non (human) readable paragraph.

    I usually run this command instead:

    sed -i -E '/#?PasswordAuthentication\b/ s|.*|PasswordAuthentication no|' /etc/ssh/sshd_config
    

    My command only matches either a PasswordAuthentication directive or a commented directive starting with #PasswordAuthentication, not other occurrences within a longer comment line.

  • From active paranoia to complete carelessness..... This kind of thread is giving each of us a way to "belong" :smiley:

  • edited April 2022

    Default port, root login, nopassword, sshguard.

    I simply don't see how getting extra paranoid could get you any safer.

  • IMO sshd_config is pretty sane by default. All I need to change is:

    HostKey /etc/ssh/ssh_host_ed25519_key
    KbdInteractiveAuthentication no
    PasswordAuthentication no
    

    I don't really care about port scanners anyway because modern cryptography keeps them away. But if you do, check out endlessh.

    Thanked by (1)yoursunny
  • For now I'm using a jump server not for security propose, but because the logs are full of garbage with failed ssh attempts and it's hard to find anything useful in there.
    Eventually I'll find a way to disable this failed attempts logging.

Sign In or Register to comment.