Mailing List Archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [tlug] remote access to server


All great advice from Furkan!

Adding some classification and extra tips below:
(Hint: the points given represent my view, they show how recommended
certain advice is, taking into consideration security gain,
implementation effort and usability)

On Sat, Jun 3, 2017 at 7:59 AM, Furkan Mustafa <> wrote:
> * Disable password login from /etc/ssh/sshd_config and use only public
> key authentication.
[add improve authentication method]: +10p
Hey it is 2017, why do you (still) use passwords? You like typing them
or what :-D ?

> * Install fail2ban
[add active monitoring/rate-limit connections]: +2p

> * They won't be guessing your username/password. These kids try this
> forever. No need to worry IMHO.

> * Also, changing your ssh port from 22 to something else reduces this
> almost down to zero.
[add (a tiny bit of) obfuscation]: +1p
I'd say "strongly reduces it".

> * Also, some people install tor to their servers, and publish their ssh
> access as a tor hidden service, and connect to their servers over tor.
> Only if you need to go extreme I guess.
[add (more) obfuscation]: +1p
Never used that, might add quite some latency and make ssh painful, IMHO.

Few more:

* [add extra layer of AAA]: +5p Add wireguard ( ), but ONLY if you are OK with bleeding edge
Then configure your sshd to be reachable only via the tunnel (use
iptables/nftables, "ListenAddress" in sshd_config, etc).
For the skiddies your port 22 will be closed, first they need to guess
you private key for wireguard and then your private key for sshd.
(once wireguard is stable, it will be +50p, but for know the
development/release cycle is too high-paced for non-devs doing admin
work on production environment)

* [add more obfuscation]: +3p add port-knocking (e.g. ) with a longer knock sequence,
this will really make it hard, unless you don't post your knock
sequence on-line :-)


Home | Main Index | Thread Index

Home Page Mailing List Linux and Japan TLUG Members Links