[lug] keeping up with attacks
Stephen Kraus
ub3ratl4sf00 at gmail.com
Sat May 4 10:15:10 MDT 2019
Why is your SSH public facing anyways? OpenVPN is free, set it up and deny
any SSH from external IPs. Best practice is to always use VPN or a Jump Box
to access SSH.
On Sat, May 4, 2019, 11:52 AM Rob Nagler <nagler at bivio.biz> wrote:
> My $.02 is that fail2ban and blocking specific IPs is more expensive than
> letting sshd handle them. Spend your energy on reducing the general risk
> profile of your network and services.
>
> There are thousands of ssh attempts a day against our servers to login as
> root. And, we have only a couple of public ssh servers. The non-public only
> let through a handful of trusted IPs via iptables.
>
> The public servers don't notice the attacks, because it's so fast for sshd
> to reject them. fail2ban increases the server (and my mental) load without
> a decrease in risk. There are millions of bots out there. If sshd has a
> zero-day, we are trouble, but so would AWS, GCP, Citibank, Amex, etc.
> They'll be the first to be breached, not our servers. My experience is that
> those patches come along pretty quickly. Much faster than the botnets can
> be reprogrammed to attack the millions of IPs that are running sshd.
>
> Rob
>
> _______________________________________________
> Web Page: http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: irc.hackingsociety.org port=6667 channel=#hackingsociety
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lug.boulder.co.us/pipermail/lug/attachments/20190504/653e90a8/attachment.html>
More information about the LUG
mailing list