[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
On 09/02/15 21:42, Simon Avery wrote: > On 9 February 2015 at 20:46, bad apple <mr.meowski@xxxxxxxx > <mailto:mr.meowski@xxxxxxxx>> wrote: > > On 09/02/15 20:00, Simon Avery wrote: > > I've mentioned this a few times already and I still think it's one of > > the most basic and effective things you can and should do if you have a > > linux server exposed to the internet, yet one of the most overlooked. > > Oh no, not this again... > > > 'Fraid so! > > If you say that again highlighting a security issue that is well known > for being successfully exploited and bringing it into discussion exactly > as we are here (right or wrong) is a waste of time then, my old friend, > you and I will be having a falling out.. Security /should/ be discussed > openly, frequently and actively - and disagreed with and argued about. > Through that process comes understanding, if only of another's point of > view. > > > I'm afraid I'm going to have to (respectfully) disagree with you on > this: let me explain. > > > I love a disagreement. Ha! Don't worry, we're not going to have to have a massive argument or anything - you make lots of very good points and of course I agree that we should talk about security. Lots. I still disagree with your initial premise for reasons stated but yes, my way is a little more work I guess, and fair enough, you already know it isn't going to work scaling out so let's forget large professional deployments completely. They should have their act together in the first place of course. Concentrating on perhaps LUG members and more adventurous home users who only have a few machines but are actually willing and capable of directly attaching a linux box with SSH access to the big bad internet, I'd still quietly argue that if they're skilled enough to change a port in sshd_config and then reconfigure the firewall, they're probably skilled enough to step through my configuration steps. If we leave out advanced tweaking of sshd_config, whilst they're editing it anyway why not leave the port as 22 (they won't have to muck around with iptables afterwards, added bonus!) but disable root and keyboard/interactive logins instead. There are a million super easy tutorials on the internet for how to do this in a couple of commands, and then how to generate and use a SSH key in a couple more. It really is *super* simple. I probably do have a lot more hosts out there than most to be fair, and I get the dubious advantage of many, many gigabytes of syslogs to mine for trends. For years I've been seeing the distributed port scans typical of these low intensity massively parallel operations: it's not just dumb knocking on TCP/22, they're slowly but surely checking out the entire addressable attack surface (anything that's open/filtered on the firewall basically). I'm not the only one who's seeing this either, although I must admit I haven't seen that sort of scanning on home IP address blocks as of yet, not that I've been looking particularly hard except on my own connection of course. I've got better things to do when I'm not working, like mostly not working :] You'll probably be interested in this Simon: this guy is pretty much the expert on this phenomenon (he calls part of it the "Hail Mary Cloud") and has lots of fascinating blog posts on the nature and evolution of these scan and bruteforce SSH things here: http://bsdly.blogspot.co.uk/search/label/Hail%20Mary%20Cloud And there's an original post here, with nice clean and easy to follow instructions included on how to make exactly the changes I'm suggesting and generating your own SSH key. http://bsdly.blogspot.co.uk/2013/10/the-hail-mary-cloud-and-lessons-learned.html So, I'm still leaving my home internet with a SSH server listening to the internet on port 22. I do get brute force attempts but I couldn't care less... good luck script kiddies! ghost@failbot:/var/log$ grep Ban fail2ban.log* | wc -l 517 That's since the start of February - I can live with that. It may interest you to know that for technical reasons, I have many more than one SSH port open on my home firewall so I can reach directly into different machines, keep tunnels up, etc. So I actually do already have multiple different pseudo-random high number TCP ports open for SSH as it happens. It's not like I'm completely against the concept, just can't possibly recommend it for shifting the single default instance off 22. They're called standard ports for a reason... Cheers -- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/listfaq