Mailing List Archive
tlug.jp
Mailing List
tlug archive
tlug Mailing List Archive
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [tlug] remote access to server
- Date: Sat, 3 Jun 2017 09:32:05 +0200
- From: Kalin KOZHUHAROV <me.kalin@example.com>
- Subject: Re: [tlug] remote access to server
- References: <1a3aa51d-c95d-a22e-3d3d-4e931f4bfd38@me.scn-net.ne.jp> <44b3dcf48ba9ae82094aebbdf1cd2229@jp.sometwo.net>
Hello, All great advice from Furkan! Adding some classification and extra tips below: (Hint: the points given represent my view, they show how recommended certain advice is, taking into consideration security gain, implementation effort and usability) On Sat, Jun 3, 2017 at 7:59 AM, Furkan Mustafa <furkan@example.com> wrote: > * Disable password login from /etc/ssh/sshd_config and use only public > key authentication. > [add improve authentication method]: +10p Hey it is 2017, why do you (still) use passwords? You like typing them or what :-D ? > * Install fail2ban > [add active monitoring/rate-limit connections]: +2p > * They won't be guessing your username/password. These kids try this > forever. No need to worry IMHO. > :-^/ > * Also, changing your ssh port from 22 to something else reduces this > almost down to zero. > [add (a tiny bit of) obfuscation]: +1p I'd say "strongly reduces it". > * Also, some people install tor to their servers, and publish their ssh > access as a tor hidden service, and connect to their servers over tor. > Only if you need to go extreme I guess. > [add (more) obfuscation]: +1p Never used that, might add quite some latency and make ssh painful, IMHO. Few more: * [add extra layer of AAA]: +5p Add wireguard ( https://www.wireguard.io/ ), but ONLY if you are OK with bleeding edge software. Then configure your sshd to be reachable only via the tunnel (use iptables/nftables, "ListenAddress" in sshd_config, etc). For the skiddies your port 22 will be closed, first they need to guess you private key for wireguard and then your private key for sshd. (once wireguard is stable, it will be +50p, but for know the development/release cycle is too high-paced for non-devs doing admin work on production environment) * [add more obfuscation]: +3p add port-knocking (e.g. http://www.zeroflux.org/projects/knock ) with a longer knock sequence, this will really make it hard, unless you don't post your knock sequence on-line :-) Cheers, Kalin.
- References:
- [tlug] remote access to server
- From: Kevin Sullivan
- Re: [tlug] remote access to server
- From: Furkan Mustafa
- [tlug] remote access to server
- Prev by Date: Re: [tlug] remote access to server
- Next by Date: Re: [tlug] remote access to server
- Previous by thread: Re: [tlug] remote access to server
- Next by thread: Re: [tlug] remote access to server
- Index(es):
| Home Page | Mailing List | Linux and Japan | TLUG Members | Links |