[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
On 16/02/18 14:42, Mark Williams wrote: SSH + VPNs are sooooooo useful - the barrier to entry for SSH access to a given network particularly is so low that anyone can do it. However... Like any tool - and this is a *really* powerful, useful tool - the potential damage you can do is immense so you need to understand what you're doing before you open TCP:22 on the firewall to the entire internet. SSHD like any other tool, but perhaps considerably more than most, will cut you very very badly if you hold it wrong. VPN servers are considerably more effort to implement and maintain properly, but well worth it if you can. If anyone is interested in implementing this I implore you to test the living crap out of it on an internal system or VM extensively first though to get to grips with the technology and make sure you know what you're doing. The second you "go live" and expose your stuff to the actual internet, even if it's 'only' a couple of filtered ports on your firewall, you're in a different world. One with shodan, botnets and SSH brute forcing and DDOSing. Let's see what my workstation says about today so far (I rotate my fail2ban logs daily because of the sheer amount of traffic): ghost@failbot:~$ wc -l /var/log/fail2ban.log 179 /var/log/fail2ban.log So 179 banned IPs for attempting SSH logins (this box is "live" on the internet as a listening SSHD) since 00:00 and I'm honestly surprised it's that low - I routinely see tens of thousands attempts per day on some systems including my own when the botnets are busy. The general rules for SSHD are the same simple ones as ever really: 1: no root access (EVER) 2: no password/interactive logins 3: issue pass-protected client SSH certificates for ALL clients 4: LOG EVERYTHING! 5: read your logs 6: use iptables, fail2ban or whatever to aggressively ban bad actors And finally, security through obscurity is neither - port knocking and changing default ports might look good on paper but they're utterly pointless. Just secure your stuff properly in the first place! Cheers -- The Mailing List for the Devon & Cornwall LUG https://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/listfaq