[lug] keeping up with attacks

[duboulder]

I use a no root, pubkey only, non standard port ssh as a second connection method in case the vpn config gets borked during an update. This a vm at provider with no console access atm. Is there a better way of providing backup access?

Sent with [ProtonMail](https://protonmail.com) Secure Email.

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Saturday, May 4, 2019 10:15 AM, Stephen Kraus <ub3ratl4sf00 at gmail.com> wrote:

> Why is your SSH public facing anyways? OpenVPN is free, set it up and deny any SSH from external IPs. Best practice is to always use VPN or a Jump Box to access SSH.
>
> On Sat, May 4, 2019, 11:52 AM Rob Nagler <nagler at bivio.biz> wrote:
>
>> My $.02 is that fail2ban and blocking specific IPs is more expensive than letting sshd handle them. Spend your energy on reducing the general risk profile of your network and services.
>>
>> There are thousands of ssh attempts a day against our servers to login as root. And, we have only a couple of public ssh servers. The non-public only let through a handful of trusted IPs via iptables.
>>
>> The public servers don't notice the attacks, because it's so fast for sshd to reject them. fail2ban increases the server (and my mental) load without a decrease in risk. There are millions of bots out there. If sshd has a zero-day, we are  trouble, but so would AWS, GCP, Citibank, Amex, etc. They'll be the first to be breached, not our servers. My experience is that those patches come along pretty quickly. Much faster than the botnets can be reprogrammed to attack the millions of IPs that are running sshd.
>>
>> Rob
>>
>> _______________________________________________
>> Web Page:  http://lug.boulder.co.us
>> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
>> Join us on IRC: irc.hackingsociety.org port=6667 channel=#hackingsociety
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lug.boulder.co.us/pipermail/lug/attachments/20190504/63cd7250/attachment.html>