[lug] keeping up with attacks
Stephen Kraus
ub3ratl4sf00 at gmail.com
Sat May 4 12:41:05 MDT 2019
Nah, it seems like youve taken all the precautions necessary. One option is
a TCP knock method if you want to hide SSH more:
https://blog.rapid7.com/2017/10/04/how-to-secure-ssh-server-using-port-knocking-on-ubuntu-linux/
On Sat, May 4, 2019, 2:16 PM duboulder <blug-mail at duboulder.com> wrote:
> I use a no root, pubkey only, non standard port ssh as a second connection
> method in case the vpn config gets borked during an update. This a vm at
> provider with no console access atm. Is there a better way of providing
> backup access?
>
>
> Sent with ProtonMail <https://protonmail.com> Secure Email.
>
> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> On Saturday, May 4, 2019 10:15 AM, Stephen Kraus <ub3ratl4sf00 at gmail.com>
> wrote:
>
> Why is your SSH public facing anyways? OpenVPN is free, set it up and deny
> any SSH from external IPs. Best practice is to always use VPN or a Jump Box
> to access SSH.
>
> On Sat, May 4, 2019, 11:52 AM Rob Nagler <nagler at bivio.biz> wrote:
>
>> My $.02 is that fail2ban and blocking specific IPs is more expensive than
>> letting sshd handle them. Spend your energy on reducing the general risk
>> profile of your network and services.
>>
>> There are thousands of ssh attempts a day against our servers to login as
>> root. And, we have only a couple of public ssh servers. The non-public only
>> let through a handful of trusted IPs via iptables.
>>
>> The public servers don't notice the attacks, because it's so fast for
>> sshd to reject them. fail2ban increases the server (and my mental) load
>> without a decrease in risk. There are millions of bots out there. If sshd
>> has a zero-day, we are trouble, but so would AWS, GCP, Citibank, Amex,
>> etc. They'll be the first to be breached, not our servers. My experience is
>> that those patches come along pretty quickly. Much faster than the botnets
>> can be reprogrammed to attack the millions of IPs that are running sshd.
>>
>> Rob
>>
>> _______________________________________________
>> Web Page: http://lug.boulder.co.us
>> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
>> Join us on IRC: irc.hackingsociety.org port=6667 channel=#hackingsociety
>>
>
> _______________________________________________
> Web Page: http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: irc.hackingsociety.org port=6667 channel=#hackingsociety
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lug.boulder.co.us/pipermail/lug/attachments/20190504/ecb6f85c/attachment.html>
More information about the LUG
mailing list