ssh security

Why do they say you shouldn't expose a sshd port to the internet? Instead, you should run your own vpn (your machine exposes a vpn port only), login to the vpn, and then access sshd through the local network.

Why so complicated? Do vpns have better coding and security practices than openssh? Are vpn protocols inherently safer than the ssh protocol?

A Conspiracy Theorist Is Talking Shirt $21.68

The Kind of Tired That Sleep Won’t Fix Shirt $21.68

A Conspiracy Theorist Is Talking Shirt $21.68

  1. 2 months ago
    Anonymous

    its like exposing your butthole in a toiltet to the gloryhole and expect not to be fricked.

    • 2 months ago
      Anonymous

      But you are still exposing your butthole in a toilet to the gloryhole, you just used 2 doors instead of 1 in order to get to the stall.

      • 2 months ago
        Anonymous

        The point is that I control the first door. If I let you through, you may frick my ass. I'd rather have outsiders probing my door's lock than probing my ass.

  2. 2 months ago
    Anonymous

    >they
    Literally who?
    Just disable password auth and you're good to go.

    • 2 months ago
      Anonymous

      Security experts. Even IQfy is parroting it.

    • 2 months ago
      Anonymous

      Bots will spam your logs and brute force your ssh pwd with default logins
      That doesn't happen with ssh over vpn

      I'm already running sshd with public key auth only.

  3. 2 months ago
    Anonymous

    Bots will spam your logs and brute force your ssh pwd with default logins
    That doesn't happen with ssh over vpn

    • 2 months ago
      Anonymous

      >Changes ssh port to 51515
      >firewalls 22
      heh nothing personell kid

    • 2 months ago
      Anonymous

      I switched to ipv6 only for ssh and the logs are now clean. Also, the log spam doesn't really matter since using key based auth only they will never get in.

    • 2 months ago
      Anonymous

      if you have password authentication enabled you deserve it

    • 2 months ago
      Anonymous

      if you have password authentication enabled you deserve it

      Also setting up an entire VPN server just so you can keep using password auth is so fricking dumb.

      • 2 months ago
        Anonymous

        VPNs can do public key auth too.

        • 2 months ago
          Anonymous

          I meant password auth on your SSH server that can't be accessed without tunneling through your VPN.

  4. 2 months ago
    Anonymous

    Because people who generally want to SSH to a public IP generally have a low level of understanding of the security risks involved.

    Why bother opening up an attack vector you don't need to?
    Why bother risking someone guessing a password from a weak service account or admin that can be had?
    Why increase the log sizes of failed login attempts from <IP>:22?
    Why bother increasing your IP tables and blocks to help harden that exposed port?
    Why bother sending that traffic of what you are doing off of a VPN tunnel?

    >Why so complicated? Do vpns have better coding and security practices than openssh?
    it's not, VPN's can do a fair bit more inclusion though through various client side checks if X software is required. Enforce strict 2fa metrics, and so on. VPN is just easier for most people in the work force to stand by and implement.

    You can go and expose it just know the risks. Most IQfy just doesn't care because they aren't thinking like a business and willing to take unneeded risks for the sake of ease.

    • 2 months ago
      Anonymous

      >Why bother opening up an attack vector you don't need to?
      VPN also is an attack vector.
      >Why bother risking someone guessing a password from a weak service account or admin that can be had?
      I only allow a single user.
      >Why increase the log sizes of failed login attempts from <IP>:22?
      I run it on a non-standard port. I get a failed login attempt like once a week.
      >Why bother increasing your IP tables and blocks to help harden that exposed port?
      My ISP router, which I can't control, acts as firewall. Other than that I have no unneeded ports open on machines where it matters.
      >Why bother sending that traffic of what you are doing off of a VPN tunnel?
      Indeed.
      >Enforce strict 2fa metrics, and so on.
      I suppose that's a real argument. sshd doesn't bother with such things.

      • 2 months ago
        Anonymous

        >VPN also is an attack vector.
        Most VPN equipment is pre-hardend out of the box for most companies and customers. Geoblocking for non %country% of sale is often blocked. Compared that to the jr sysadmin wannabe who just opens 22 to the world, they tend to be a bit safer. Not to mention you'd then need to compromise VPN, then map to the servers, then find the login for the server.
        >I only allow a single user.
        That's great most companies don't do that
        >I run it on a non-standard port. I get a failed login attempt like once a week.
        Congrats, this is basically the same as "werks for me"if you run a business finding your IP block isn't terribly hard and then scanning for services makes it a non issue. Not sure how much traffic your company gets.
        >My ISP router, which I can't control, acts as firewall. Other than that I have no unneeded ports open on machines where it matters.
        If you're just doing this from home most ISP's take care of a lot of things normal firewalls on corporate networks would do without you knowing. Much of the bot traffic is killed because they can just watch and kill it real time. You want to know true hell? Open a AWS instance then SSHD to the public with 0 geoblocking or rate limiting.
        >I suppose that's a real argument. sshd doesn't bother with such things.
        There are a bunch of others but you're looking at this from a home lab perspective not from a security of a company perspective.

        • 2 months ago
          Anonymous

          >but you're looking at this from a home lab perspective not from a security of a company perspective.
          Yes. I'm not running a company. This is just for home stuff. For a company I'd agree because it's a much more complicated setting. the small company I work for funnels everything through a VPN and I agree that it's a good idea.

        • 2 months ago
          Anonymous

          What would you recommend to a user who wants to have an access to his files on desktop or server from his laptop?

          • 2 months ago
            Anonymous

            Depends on the size of a company, why I would store user files on a desktop is silly it should be on the server. Lots of companies use citrix which has citrix files, allowing you to 2FA and then access a share for downloads/uploads from your file server to wherever.

            VPN segmented network with mapped shares for the user can do wonders, though most will just use OneDrive or Google drive given how cheap it is and often included with email services.

            Depends on the size of the company, budget, risks willing to accept and so on. During covid I had a company that was a small firm ~50 people, they just wanted a flat VPN accepted the risks of lack of network segregation and 2FA but opted for complex passphrase and rolled. Not ideal but whatever, worked for them

          • 2 months ago
            Anonymous

            I'm not asking about a company use, I'm asking for personal use.
            I merely want to have access to my desktop PC from my laptop from wherever I am as long as I have the internet connection.

          • 2 months ago
            Anonymous

            >I'm not asking about a company use, I'm asking for personal use.
            Then why use the term user? That generally implies business use case...

            Team viewer is free does 2FA as well if you don't want to expose ports. When I digital nomad I just upload person docs to my google drive that I might need like my 2FA backup codes for access if my phone gets fricked. I do RDP+certificate login and only have the port open when I know I'll need them out and about.

            >not using keys only
            moron

            There are still service level exploits possible that would negate what a key/cert only would allow remote access.

          • 2 months ago
            Anonymous

            >Then why use the term user? That generally implies business use case...
            Forgive my ESL, anon, might make a terminological mistake there and there, please be patient.

            >TeamViewer
            Might be a bit overkill for me, since I only really care about access to filesystem and don't really need GUI, but I'll take it into account.
            >google-docs
            Want to avoid proprietary services if I can. Trying to work under the principle of "not my server, not my data". Again, please be patient.

            Thank you for the responses btw

          • 2 months ago
            Anonymous

            >Want to avoid proprietary services if I can. Trying to work under the principle of "not my server, not my data".
            That's fine but if you're working remotely not just having your projects sync to the free onedrive/google drive as well off your server is kinda silly. I basically have my D:sync folder replicate to google drive, if it went poof I'd still have my server / lab back home to get any documents or work on.

            Your call.

          • 2 months ago
            Anonymous

            >I merely want to have access to my desktop PC from my laptop from wherever I am as long as I have the internet connection
            Definitely sounds like something you'd just want to use Wireguard for.

          • 2 months ago
            Anonymous

            Not him but I use ssh tunnels for everything so I can run any insecure piece of shit server (like x11vnc) remotely without exposing any of its ports to the public.

          • 2 months ago
            Anonymous

            Is it hard to set up? The usecase is

            I'm not asking about a company use, I'm asking for personal use.
            I merely want to have access to my desktop PC from my laptop from wherever I am as long as I have the internet connection.

            I don't think I'm gonna use VNC, I just care about having an access to my network folders on main machine, possibly a home server in the future.

          • 2 months ago
            Anonymous

            Which protocol? With ssh you get sftp for free.

          • 2 months ago
            Anonymous

            I'm mostly interested in ssh since sftp on local network works really nice. I just want to expand its reach to outside world. I know it's risky, so I'm taking my time and asking anons questions.

          • 2 months ago
            Anonymous

            I see two answers in this thread:
            >expose sshd to the internet and configure it absolutely correctly
            >use wireguard without ssdh exposed to the internet

          • 2 months ago
            Anonymous

            the effort to configure sshd absolutely correctly is at least as much, if not more involved than setting up a wireguard profile, there's literally no downside to doing the latter

          • 2 months ago
            Anonymous

            Do both, use key authentication, but still keep it behind wireguard, now your shit is unfrickable. Also, put your guests/dumb home gadgets on a seperate vlan.

          • 2 months ago
            Anonymous

            I sure wish my shitty ISP provided router supported vlans.

          • 2 months ago
            Anonymous

            https://hackaday.com/2023/06/14/linux-fu-easy-and-easier-virtual-networking/#more-600234

            Maybe this can give you ideas?

          • 2 months ago
            Anonymous

            Most ISP provided routers at least give you a "guest" network, activate that. It's better than nothing, at least for isolating things that still need internet but not full network access.

  5. 2 months ago
    Anonymous

    >Why so complicated?
    >wg-quick up wg0 is complicated
    you're a moron

  6. 2 months ago
    Anonymous

    just change the port and enforce pub key login only and you're good to go

    hell, as long as you change the port you're already skipping 95% of the chinese bots

  7. 2 months ago
    Anonymous

    >not using keys only
    moron

  8. 2 months ago
    Anonymous

    Most certainly it is just a matter of the situation and most people fail to understand „why“.

    If you have multiple servers and multiple services, like a company, VPN is logical. It is a additional gate in front of multiple servers which are hard to govern.

    If you have just a single server and your single SSH port, VPN is almost nonsensical.
    2FA clients over smartphone are non valid and the attack surface ist almost similar.
    All inbetween is to decide for you

  9. 2 months ago
    Anonymous

    SSH over Internet is only iffy for large orgs, for personal use:
    >use key authentication
    >disable passwords
    >use key authentication
    >use a non-standard port (optional but handy)
    >use key authentication
    >keep your machine updooted for security fixes
    >use key authentication
    Do this and you will be fine.

  10. 2 months ago
    Anonymous

    it's bullshit, just make sure you're on a rolling distro so you get those security fixes and backdoors as soon as they're available

  11. 2 months ago
    Anonymous

    You can "do" whatever, it's all about threat models.
    The reasoning for being careful with SSH is that Russian, Indian, Chinese, and Black folkkid bots constantly probe open ports for ones they might be able to break into. For this reason, it'd be objective good practice to create a non-root account, set up keyfiles, then disable public password and root auth. This raises the barrier to bruteforcing one's way into getting a free mail spamserver or botnet node considerably.
    This is fine for SSH. There are other services that either should never be publicly available because they ARE typically vulnerable (uPNP, SMB) or need to secured extraordinarily well by hand to be publicly available (any database, VNC, RDP.) This is why your second order of business after securing SSH is setting up your firewall (beware of Docker breaking it)
    If you have multiple machines, you set up Wireguard so they can talk to each other's private services, completely invisible to world unless you frick up control of keys.
    But there are people for whom even secure SSH is too much, they are a big company or a big target, and have people in mind who very much want to frick with their machines in particular. This is where people tend to put SSH behind the VPN, so all people who want to access the server need additional credentials. This is better than knocks or simple port changes for group settings, but only you will know if you need it, and you very well might not. Also, if you are in a situation where there are other users that need to access and do things on your machine, that is where your bigger security concerns lay, and even this isn't enough because you probably gave them unlimited access.
    >tl;dr cybersecurity is a complicated topic and you can easily waste infinite resources on problems you may not have, read installgentoo(setting up a server/remote access) for the most basic b***h guide on what to do, keep in mind what is public with shodan or censys, and sleep soundly

    • 2 months ago
      Anonymous

      >Docker breaking it
      How can it break it?

      • 2 months ago
        Anonymous

        If you do 6942:6942 in arguments or compose file (so, listening on ALL interfaces,) it will ignore ufw and iptables. Even if you've told ufw to drop it, Docker will bind the port to your public IP, at least on Linux. This is really fricked if you're running a database or Redis or something in there.
        I forget why exactly it's like this, and I'm pretty sure there's some way to configure it to stop it from behaving this way, but the best/easiest mitigation is arguably to just set an explicit IP to bind to.
        Maybe localhost: 6942:127.0.0.1:6942
        Or your Wireguard/Tailscale VPN: 6942:10.0.0.1:6942

  12. 2 months ago
    Anonymous

    Not even because of security, but because no one but you ever has reason to touch it
    Mind you, Tailscale can do this for you if you don't care to do the setup yourself, requires account though, I currently do a hybrid with the intent of eventually migrating away

  13. 2 months ago
    Anonymous

    Try exposing the ssh port and read the logs to see what happens. The onslaught of bruteforcers is relentless.

    • 2 months ago
      Anonymous

      helo sar, good morning and nice post! can you please disabling fail2ban?

  14. 2 months ago
    Anonymous

    it's fine exposed directly with key auth only, also consider range banning every country except yours at firewall level, unless you also host some website or something

    • 2 months ago
      Anonymous

      Badness enumeration is worthless, and easily circumventable. If you actually lock down your stuff properly, you don't need to block anyone's IPs.

      • 2 months ago
        Anonymous

        yeah, don't base the security on ip blocklist, but it's nice not to see chinks and russians in my logs

      • 2 months ago
        Anonymous

        A whitelist that allows only IPs from your country should be fine and effective though.

        • 2 months ago
          Anonymous

          Most people are going to be connecting to your shit over a VPN as well, you know.

  15. 2 months ago
    Anonymous

    don't ever expose your own IP on the raw without some forwarding and controll (typically a VPN) happening.
    IPs have trackable locations and your equipment attached to it can have dozens of ports in that 64k range running services that might or might not have vulnerabilities. Not to mention chinesium TV boxes, outdated android phones and IOT devices that the router hooks up to might have their own open ports.

  16. 2 months ago
    Anonymous

    I use key auth. I do not allow password auth. Everything is fine. Nothing more is needed on my part.

  17. 2 months ago
    Anonymous

    https://openvpn.net/community-resources/hardening-openvpn-security/
    When hearthbleed appeared, both ssh and open vpn were affected, but hardened open vpn with tls-auth was safe.

  18. 2 months ago
    Anonymous

    Using a Wireguard VPN means you only have to open one UDP port, which will only ever respond after you've authenticated.
    If you only allow UDP connections to your VPN port (via firewall), nobody can even tell the server is online. (Except for anything you want public, of course.)
    With SSH open publicly, an attacker at least gets an unsuccessful login response (plus some information like the version). When behind a VPN, they get nothing (and cannot exploit vulnerabilities or backdoors either).

  19. 2 months ago
    Anonymous

    The VPN should be separated to its own machine

Your email address will not be published. Required fields are marked *