Why do they say you shouldn't expose a sshd port to the internet? Instead, you should run your own vpn (your machine exposes a vpn port only), login to the vpn, and then access sshd through the local network.
Why so complicated? Do vpns have better coding and security practices than openssh? Are vpn protocols inherently safer than the ssh protocol?
 UFOs Are A Psyop Shirt $21.68 |
 |
UFOs Are A Psyop Shirt $21.68 |
its like exposing your butthole in a toiltet to the gloryhole and expect not to be fricked.
But you are still exposing your butthole in a toilet to the gloryhole, you just used 2 doors instead of 1 in order to get to the stall.
The point is that I control the first door. If I let you through, you may frick my ass. I'd rather have outsiders probing my door's lock than probing my ass.
>they
Literally who?
Just disable password auth and you're good to go.
Security experts. Even IQfy is parroting it.
I'm already running sshd with public key auth only.
Bots will spam your logs and brute force your ssh pwd with default logins
That doesn't happen with ssh over vpn
>Changes ssh port to 51515
>firewalls 22
heh nothing personell kid
I switched to ipv6 only for ssh and the logs are now clean. Also, the log spam doesn't really matter since using key based auth only they will never get in.
if you have password authentication enabled you deserve it
Also setting up an entire VPN server just so you can keep using password auth is so fricking dumb.
VPNs can do public key auth too.
I meant password auth on your SSH server that can't be accessed without tunneling through your VPN.
Because people who generally want to SSH to a public IP generally have a low level of understanding of the security risks involved.
Why bother opening up an attack vector you don't need to?
Why bother risking someone guessing a password from a weak service account or admin that can be had?
Why increase the log sizes of failed login attempts from <IP>:22?
Why bother increasing your IP tables and blocks to help harden that exposed port?
Why bother sending that traffic of what you are doing off of a VPN tunnel?
>Why so complicated? Do vpns have better coding and security practices than openssh?
it's not, VPN's can do a fair bit more inclusion though through various client side checks if X software is required. Enforce strict 2fa metrics, and so on. VPN is just easier for most people in the work force to stand by and implement.
You can go and expose it just know the risks. Most IQfy just doesn't care because they aren't thinking like a business and willing to take unneeded risks for the sake of ease.
>Why bother opening up an attack vector you don't need to?
VPN also is an attack vector.
>Why bother risking someone guessing a password from a weak service account or admin that can be had?
I only allow a single user.
>Why increase the log sizes of failed login attempts from <IP>:22?
I run it on a non-standard port. I get a failed login attempt like once a week.
>Why bother increasing your IP tables and blocks to help harden that exposed port?
My ISP router, which I can't control, acts as firewall. Other than that I have no unneeded ports open on machines where it matters.
>Why bother sending that traffic of what you are doing off of a VPN tunnel?
Indeed.
>Enforce strict 2fa metrics, and so on.
I suppose that's a real argument. sshd doesn't bother with such things.
>VPN also is an attack vector.
Most VPN equipment is pre-hardend out of the box for most companies and customers. Geoblocking for non %country% of sale is often blocked. Compared that to the jr sysadmin wannabe who just opens 22 to the world, they tend to be a bit safer. Not to mention you'd then need to compromise VPN, then map to the servers, then find the login for the server.
>I only allow a single user.
That's great most companies don't do that
>I run it on a non-standard port. I get a failed login attempt like once a week.
Congrats, this is basically the same as "werks for me"if you run a business finding your IP block isn't terribly hard and then scanning for services makes it a non issue. Not sure how much traffic your company gets.
>My ISP router, which I can't control, acts as firewall. Other than that I have no unneeded ports open on machines where it matters.
If you're just doing this from home most ISP's take care of a lot of things normal firewalls on corporate networks would do without you knowing. Much of the bot traffic is killed because they can just watch and kill it real time. You want to know true hell? Open a AWS instance then SSHD to the public with 0 geoblocking or rate limiting.
>I suppose that's a real argument. sshd doesn't bother with such things.
There are a bunch of others but you're looking at this from a home lab perspective not from a security of a company perspective.
>but you're looking at this from a home lab perspective not from a security of a company perspective.
Yes. I'm not running a company. This is just for home stuff. For a company I'd agree because it's a much more complicated setting. the small company I work for funnels everything through a VPN and I agree that it's a good idea.
What would you recommend to a user who wants to have an access to his files on desktop or server from his laptop?
Depends on the size of a company, why I would store user files on a desktop is silly it should be on the server. Lots of companies use citrix which has citrix files, allowing you to 2FA and then access a share for downloads/uploads from your file server to wherever.
VPN segmented network with mapped shares for the user can do wonders, though most will just use OneDrive or Google drive given how cheap it is and often included with email services.
Depends on the size of the company, budget, risks willing to accept and so on. During covid I had a company that was a small firm ~50 people, they just wanted a flat VPN accepted the risks of lack of network segregation and 2FA but opted for complex passphrase and rolled. Not ideal but whatever, worked for them
I'm not asking about a company use, I'm asking for personal use.
I merely want to have access to my desktop PC from my laptop from wherever I am as long as I have the internet connection.
>I'm not asking about a company use, I'm asking for personal use.
Then why use the term user? That generally implies business use case...
Team viewer is free does 2FA as well if you don't want to expose ports. When I digital nomad I just upload person docs to my google drive that I might need like my 2FA backup codes for access if my phone gets fricked. I do RDP+certificate login and only have the port open when I know I'll need them out and about.
There are still service level exploits possible that would negate what a key/cert only would allow remote access.
>Then why use the term user? That generally implies business use case...
Forgive my ESL, anon, might make a terminological mistake there and there, please be patient.
>TeamViewer
Might be a bit overkill for me, since I only really care about access to filesystem and don't really need GUI, but I'll take it into account.
>google-docs
Want to avoid proprietary services if I can. Trying to work under the principle of "not my server, not my data". Again, please be patient.
Thank you for the responses btw
>Want to avoid proprietary services if I can. Trying to work under the principle of "not my server, not my data".
That's fine but if you're working remotely not just having your projects sync to the free onedrive/google drive as well off your server is kinda silly. I basically have my D:sync folder replicate to google drive, if it went poof I'd still have my server / lab back home to get any documents or work on.
Your call.
>I merely want to have access to my desktop PC from my laptop from wherever I am as long as I have the internet connection
Definitely sounds like something you'd just want to use Wireguard for.
Not him but I use ssh tunnels for everything so I can run any insecure piece of shit server (like x11vnc) remotely without exposing any of its ports to the public.
Is it hard to set up? The usecase is
I don't think I'm gonna use VNC, I just care about having an access to my network folders on main machine, possibly a home server in the future.
Which protocol? With ssh you get sftp for free.
I'm mostly interested in ssh since sftp on local network works really nice. I just want to expand its reach to outside world. I know it's risky, so I'm taking my time and asking anons questions.
I see two answers in this thread:
>expose sshd to the internet and configure it absolutely correctly
>use wireguard without ssdh exposed to the internet
the effort to configure sshd absolutely correctly is at least as much, if not more involved than setting up a wireguard profile, there's literally no downside to doing the latter
Do both, use key authentication, but still keep it behind wireguard, now your shit is unfrickable. Also, put your guests/dumb home gadgets on a seperate vlan.
I sure wish my shitty ISP provided router supported vlans.
https://hackaday.com/2023/06/14/linux-fu-easy-and-easier-virtual-networking/#more-600234
Maybe this can give you ideas?
Most ISP provided routers at least give you a "guest" network, activate that. It's better than nothing, at least for isolating things that still need internet but not full network access.
>Why so complicated?
>wg-quick up wg0 is complicated
you're a moron
just change the port and enforce pub key login only and you're good to go
hell, as long as you change the port you're already skipping 95% of the chinese bots
>not using keys only
moron
Most certainly it is just a matter of the situation and most people fail to understand „why“.
If you have multiple servers and multiple services, like a company, VPN is logical. It is a additional gate in front of multiple servers which are hard to govern.
If you have just a single server and your single SSH port, VPN is almost nonsensical.
2FA clients over smartphone are non valid and the attack surface ist almost similar.
All inbetween is to decide for you
SSH over Internet is only iffy for large orgs, for personal use:
>use key authentication
>disable passwords
>use key authentication
>use a non-standard port (optional but handy)
>use key authentication
>keep your machine updooted for security fixes
>use key authentication
Do this and you will be fine.
it's bullshit, just make sure you're on a rolling distro so you get those security fixes and backdoors as soon as they're available
You can "do" whatever, it's all about threat models.
The reasoning for being careful with SSH is that Russian, Indian, Chinese, and Black folkkid bots constantly probe open ports for ones they might be able to break into. For this reason, it'd be objective good practice to create a non-root account, set up keyfiles, then disable public password and root auth. This raises the barrier to bruteforcing one's way into getting a free mail spamserver or botnet node considerably.
This is fine for SSH. There are other services that either should never be publicly available because they ARE typically vulnerable (uPNP, SMB) or need to secured extraordinarily well by hand to be publicly available (any database, VNC, RDP.) This is why your second order of business after securing SSH is setting up your firewall (beware of Docker breaking it)
If you have multiple machines, you set up Wireguard so they can talk to each other's private services, completely invisible to world unless you frick up control of keys.
But there are people for whom even secure SSH is too much, they are a big company or a big target, and have people in mind who very much want to frick with their machines in particular. This is where people tend to put SSH behind the VPN, so all people who want to access the server need additional credentials. This is better than knocks or simple port changes for group settings, but only you will know if you need it, and you very well might not. Also, if you are in a situation where there are other users that need to access and do things on your machine, that is where your bigger security concerns lay, and even this isn't enough because you probably gave them unlimited access.
>tl;dr cybersecurity is a complicated topic and you can easily waste infinite resources on problems you may not have, read installgentoo(setting up a server/remote access) for the most basic b***h guide on what to do, keep in mind what is public with shodan or censys, and sleep soundly
>Docker breaking it
How can it break it?
If you do 6942:6942 in arguments or compose file (so, listening on ALL interfaces,) it will ignore ufw and iptables. Even if you've told ufw to drop it, Docker will bind the port to your public IP, at least on Linux. This is really fricked if you're running a database or Redis or something in there.
I forget why exactly it's like this, and I'm pretty sure there's some way to configure it to stop it from behaving this way, but the best/easiest mitigation is arguably to just set an explicit IP to bind to.
Maybe localhost: 6942:127.0.0.1:6942
Or your Wireguard/Tailscale VPN: 6942:10.0.0.1:6942
Not even because of security, but because no one but you ever has reason to touch it
Mind you, Tailscale can do this for you if you don't care to do the setup yourself, requires account though, I currently do a hybrid with the intent of eventually migrating away
Try exposing the ssh port and read the logs to see what happens. The onslaught of bruteforcers is relentless.
helo sar, good morning and nice post! can you please disabling fail2ban?
it's fine exposed directly with key auth only, also consider range banning every country except yours at firewall level, unless you also host some website or something
Badness enumeration is worthless, and easily circumventable. If you actually lock down your stuff properly, you don't need to block anyone's IPs.
yeah, don't base the security on ip blocklist, but it's nice not to see chinks and russians in my logs
A whitelist that allows only IPs from your country should be fine and effective though.
Most people are going to be connecting to your shit over a VPN as well, you know.
don't ever expose your own IP on the raw without some forwarding and controll (typically a VPN) happening.
IPs have trackable locations and your equipment attached to it can have dozens of ports in that 64k range running services that might or might not have vulnerabilities. Not to mention chinesium TV boxes, outdated android phones and IOT devices that the router hooks up to might have their own open ports.
I use key auth. I do not allow password auth. Everything is fine. Nothing more is needed on my part.
https://openvpn.net/community-resources/hardening-openvpn-security/
When hearthbleed appeared, both ssh and open vpn were affected, but hardened open vpn with tls-auth was safe.
Using a Wireguard VPN means you only have to open one UDP port, which will only ever respond after you've authenticated.
If you only allow UDP connections to your VPN port (via firewall), nobody can even tell the server is online. (Except for anything you want public, of course.)
With SSH open publicly, an attacker at least gets an unsuccessful login response (plus some information like the version). When behind a VPN, they get nothing (and cannot exploit vulnerabilities or backdoors either).
The VPN should be separated to its own machine