SSH Protection

HN-Matt

New Member
Verified Provider
1) Create extremely complex passwords and store them openly in plaintext as bait.

2) useradd matt; passwd matt; gpasswd -a matt wheel [or whatever variant depending on your OS].

3) open /etc/ssh/sshd_config &


AllowUsers [email protected]<YOU.RIPADD.RE.SS>
PermitRootLogin no
PasswordAuthentication yes
4) ???

5) Profit!
 
 

texteditor

Premium Buffalo-based Hosting
Changing the SSH port actually does give more benefit than just 'security through obscurity'.  Not wasting resources on SSH Brutes is one example.  So yes, using a non-standard port should be part of everyone's basic SSH security.
Thank fuck someone said it. In every discussion about SSH there's always one idiot saying changing SSH port is worthless, but it really keeps the logs clean
 

dcdan

New Member
Verified Provider
Reminded me of how I got beaten on LET over introducing automated ssh port change to our brands - same shit, everyone was teaching us how we should stick with port 22 and we are dumb etc.

Since then I went quiet on this topic (and many other topics for that matter) as all you get in return is beating plus some DDoS for good measure.
 

HalfEatenPie

The Irrational One
Retired Staff
Reminded me of how I got beaten on LET over introducing automated ssh port change to our brands - same shit, everyone was teaching us how we should stick with port 22 and we are dumb etc.

Since then I went quiet on this topic (and many other topics for that matter) as all you get in return is beating plus some DDoS for good measure.
Honestly I wouldn't be too worried about it.  If they want to operate it their way then good for them.  Automated port change is irritating and in my opinion is something that should be left for the client but the fact that you took the initiative and the steps to protect your clients is probably worth much more than some randos on the internet bitching at you about it.

tldr: You do you Glen Coco
 

texteditor

Premium Buffalo-based Hosting

HN-Matt

New Member
Verified Provider
Same. I've never really used 'DenyUsers' either, but it seems like an interesting extra precaution to take (i.e. I got guilt tripped into the No Joke Zone again and had to come up with something to offset the malfunctioning karmabot).
 

Husky

Verified Dog
Verified Provider
...and remember to add the new port to your firewall


iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 2345 -j ACCEPT

out before the inevitable debate on whether security through obscurity works begins.
Kinda useless without a drop rule too, unless your iptables has the INPUT chain drop by default.

In anycase hosts.deny works just as well although if you want it to silently drop I'd use iptables, I think hosts.deny returns some sort of ICMP rejection, giving a hint something is listening on that port.
 

GalaxyHostPlus

New Member
Verified Provider
I would use key based auth if my panels would support it.

This few modifications for my own use for this ssh protection so far no issues for it.
 

emdad

New Member
I would use key based auth if my panels would support it.

This few modifications for my own use for this ssh protection so far no issues for it.
Is panel supporting really necessary? It's a single line command to transfer the rsa public file and then configure no pass based access... 

cat ~/.ssh/id_rsa.pub | ssh [email protected] "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"https://www.digitalocean.com/community/tutorials/how-to-set-up-ssh-keys--2
 
Top