[lug] Disregard: Re: keeping up with attacks

Chip Atkinson chip at pupman.com
Mon May 20 19:34:28 MDT 2019


Doh!  "Cancel" didn't quite turn out like I'd hoped...

On Mon, 20 May 2019, Chip Atkinson wrote:

> changing to a non standard port made all the difference for me. It was on the 
> order of several hits/second sometimes. After the port change, it basically 
> stopped.
>
> Disable root logins if not already mentioned.
>
> On Sat, 4 May 2019, duboulder wrote:
>
>> I use a no root, pubkey only, non standard port ssh as a second
>> connection method in case the vpn config gets borked during an update.
>> This a vm at provider with no console access atm. Is there a better way
>> of providing backup access?
>> 
>> 
>> Sent with ProtonMail Secure Email.
>> 
>> ??????? Original Message ???????
>> On Saturday, May 4, 2019 10:15 AM, Stephen Kraus <ub3ratl4sf00 at gmail.com>
>> wrote:
>>
>>       Why is your SSH public facing anyways? OpenVPN is free, set
>>       it up and deny any SSH from external IPs. Best practice is to
>>       always use VPN or a Jump Box to access SSH.
>> 
>> On Sat, May 4, 2019, 11:52 AM Rob Nagler <nagler at bivio.biz> wrote:
>>       My $.02 is that fail2ban and blocking specific IPs is
>>       more expensive than letting sshd handle them. Spend
>>       your energy on reducing the general risk profile of
>>       your network and services.
>> 
>> There are thousands of ssh attempts a day against our servers
>> to login as root. And, we have only a couple of public ssh
>> servers. The non-public only let through a handful of trusted
>> IPs via iptables.
>> 
>> The public servers don't notice the attacks, because it's so
>> fast for sshd to reject them. fail2ban increases the server
>> (and my mental) load without a decrease in risk. There are
>> millions of bots out there. If sshd has a zero-day, we are
>> trouble, but so would AWS, GCP, Citibank, Amex, etc. They'll
>> be the first to be breached, not our servers. My experience
>> is that those patches come along pretty quickly. Much faster
>> than the botnets can be reprogrammed to attack the millions
>> of IPs that are running sshd.
>> 
>> Rob
>> 
>> _______________________________________________
>> Web Page: http://lug.boulder.co.us
>> Mailing List:
>> http://lists.lug.boulder.co.us/mailman/listinfo/lug
>> Join us on IRC: irc.hackingsociety.org port=6667
>> channel=#hackingsociety
>> 
>> 
>> 
>> 
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: irc.hackingsociety.org port=6667 channel=#hackingsociety


More information about the LUG mailing list