D&C GLug - Home Page

[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]

Re: [LUG] File Sharing

 

>VPN servers are considerably more effort to implement and maintain
>properly, but well worth it if you can.

I'm curious, would you suggest a VPN or tunnelling desktop traffic over SSH as a 
more secure method to gain 'local' GUI access remotely? It's obviously possible to 
do a lot via SSH but in the instance of wanting a desktop experience remotely, do 
you think one creates a greater attack surface than the other?

>And finally, security through obscurity is neither - port knocking and
>changing default ports might look good on paper but they're utterly
>pointless. Just secure your stuff properly in the first place!

Do you think there's ever a case to use port knocking? I view it as a further layer 
through which bad actors must pass, before gaining access to the desired services. 
Not obscurity per se but a way of helping to mitigate bugs which invariably exist in 
most services by increasing the complexity involved in gaining unauthorised access 
to them in the first instance.

I changed the default SSH port for years before realising it was a stupid idea, not 
least because of this: 
https://www.adayinthelifeof.nl/2012/03/12/why-putting-ssh-on-another-port-than-22-is-bad-idea/

That piece started a significant change in the way I thought about and researched 
securing systems.


On 16 February 2018 19:33:57 GMT+00:00, mr meowski <mr.meowski@xxxxxxxx> wrote:
>On 16/02/18 14:42, Mark Williams wrote:
>
>SSH + VPNs are sooooooo useful - the barrier to entry for SSH access to
>a given network particularly is so low that anyone can do it.
>
>However...
>
>Like any tool - and this is a *really* powerful, useful tool - the
>potential damage you can do is immense so you need to understand what
>you're doing before you open TCP:22 on the firewall to the entire
>internet. SSHD like any other tool, but perhaps considerably more than
>most, will cut you very very badly if you hold it wrong.
>
>
>If anyone is interested in implementing this I implore you to test the
>living crap out of it on an internal system or VM extensively first
>though to get to grips with the technology and make sure you know what
>you're doing. The second you "go live" and expose your stuff to the
>actual internet, even if it's 'only' a couple of filtered ports on your
>firewall, you're in a different world. One with shodan, botnets and SSH
>brute forcing and DDOSing.
>
>Let's see what my workstation says about today so far (I rotate my
>fail2ban logs daily because of the sheer amount of traffic):
>
>ghost@failbot:~$ wc -l /var/log/fail2ban.log
>179 /var/log/fail2ban.log
>
>So 179 banned IPs for attempting SSH logins (this box is "live" on the
>internet as a listening SSHD) since 00:00 and I'm honestly surprised
>it's that low - I routinely see tens of thousands attempts per day on
>some systems including my own when the botnets are busy.
>
>The general rules for SSHD are the same simple ones as ever really:
>
>1: no root access (EVER)
>2: no password/interactive logins
>3: issue pass-protected client SSH certificates for ALL clients
>4: LOG EVERYTHING!
>5: read your logs
>6: use iptables, fail2ban or whatever to aggressively ban bad actors
>
>And finally, security through obscurity is neither - port knocking and
>changing default ports might look good on paper but they're utterly
>pointless. Just secure your stuff properly in the first place!
>
>Cheers
>
>-- 
>The Mailing List for the Devon & Cornwall LUG
>https://mailman.dclug.org.uk/listinfo/list
>FAQ: http://www.dcglug.org.uk/listfaq

-- 
Sent from my mobile device. Please excuse my brevity.

-- 
The Mailing List for the Devon & Cornwall LUG
https://mailman.dclug.org.uk/listinfo/list
FAQ: http://www.dcglug.org.uk/listfaq