[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
>VPN servers are considerably more effort to implement and maintain >properly, but well worth it if you can. I'm curious, would you suggest a VPN or tunnelling desktop traffic over SSH as a more secure method to gain 'local' GUI access remotely? It's obviously possible to do a lot via SSH but in the instance of wanting a desktop experience remotely, do you think one creates a greater attack surface than the other? >And finally, security through obscurity is neither - port knocking and >changing default ports might look good on paper but they're utterly >pointless. Just secure your stuff properly in the first place! Do you think there's ever a case to use port knocking? I view it as a further layer through which bad actors must pass, before gaining access to the desired services. Not obscurity per se but a way of helping to mitigate bugs which invariably exist in most services by increasing the complexity involved in gaining unauthorised access to them in the first instance. I changed the default SSH port for years before realising it was a stupid idea, not least because of this: https://www.adayinthelifeof.nl/2012/03/12/why-putting-ssh-on-another-port-than-22-is-bad-idea/ That piece started a significant change in the way I thought about and researched securing systems. On 16 February 2018 19:33:57 GMT+00:00, mr meowski <mr.meowski@xxxxxxxx> wrote: >On 16/02/18 14:42, Mark Williams wrote: > >SSH + VPNs are sooooooo useful - the barrier to entry for SSH access to >a given network particularly is so low that anyone can do it. > >However... > >Like any tool - and this is a *really* powerful, useful tool - the >potential damage you can do is immense so you need to understand what >you're doing before you open TCP:22 on the firewall to the entire >internet. SSHD like any other tool, but perhaps considerably more than >most, will cut you very very badly if you hold it wrong. > > >If anyone is interested in implementing this I implore you to test the >living crap out of it on an internal system or VM extensively first >though to get to grips with the technology and make sure you know what >you're doing. The second you "go live" and expose your stuff to the >actual internet, even if it's 'only' a couple of filtered ports on your >firewall, you're in a different world. One with shodan, botnets and SSH >brute forcing and DDOSing. > >Let's see what my workstation says about today so far (I rotate my >fail2ban logs daily because of the sheer amount of traffic): > >ghost@failbot:~$ wc -l /var/log/fail2ban.log >179 /var/log/fail2ban.log > >So 179 banned IPs for attempting SSH logins (this box is "live" on the >internet as a listening SSHD) since 00:00 and I'm honestly surprised >it's that low - I routinely see tens of thousands attempts per day on >some systems including my own when the botnets are busy. > >The general rules for SSHD are the same simple ones as ever really: > >1: no root access (EVER) >2: no password/interactive logins >3: issue pass-protected client SSH certificates for ALL clients >4: LOG EVERYTHING! >5: read your logs >6: use iptables, fail2ban or whatever to aggressively ban bad actors > >And finally, security through obscurity is neither - port knocking and >changing default ports might look good on paper but they're utterly >pointless. Just secure your stuff properly in the first place! > >Cheers > >-- >The Mailing List for the Devon & Cornwall LUG >https://mailman.dclug.org.uk/listinfo/list >FAQ: http://www.dcglug.org.uk/listfaq -- Sent from my mobile device. Please excuse my brevity. -- The Mailing List for the Devon & Cornwall LUG https://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/listfaq