SSH Protection

[HN-Matt]

1) Create extremely complex passwords and store them openly in plaintext as bait.

2) useradd matt; passwd matt; gpasswd -a matt wheel [or whatever variant depending on your OS].

3) open /etc/ssh/sshd_config &


AllowUsers matt@<YOU.RIPADD.RE.SS>
PermitRootLogin no
PasswordAuthentication yes
4) ???

5) Profit!
 

 

[HN-Matt]

1) Enclose self and laptop in Faraday cage.

 

2) Locate the "PuTTY Download Page" in Google.

 

3) Download PuTTY, Pageant and PuTTYgen (do not exit the Faraday cage while these files are downloading...)

 

4) https://www.digitalocean.com/community/tutorials/how-to-use-ssh-keys-with-putty-on-digitalocean-droplets-windows-users

 

[Aldryic C'boas]

Why are you so bent on being the new community troll?

 

[HN-Matt]

@Aldryic C'boas sorry sir, just tryin to have a laugh. http://i.imgur.com/KfFZcrf.png & etc (via).

Must be all the wildfires this summer. Guess I'll click 'Thank You' on @trueman1's v helpful post and take my leave.

 

[texteditor]

Changing the SSH port actually does give more benefit than just 'security through obscurity'.  Not wasting resources on SSH Brutes is one example.  So yes, using a non-standard port should be part of everyone's basic SSH security.

Thank fuck someone said it. In every discussion about SSH there's always one idiot saying changing SSH port is worthless, but it really keeps the logs clean

 

[dcdan]

Reminded me of how I got beaten on LET over introducing automated ssh port change to our brands - same shit, everyone was teaching us how we should stick with port 22 and we are dumb etc.

Since then I went quiet on this topic (and many other topics for that matter) as all you get in return is beating plus some DDoS for good measure.

 

[HalfEatenPie]

Reminded me of how I got beaten on LET over introducing automated ssh port change to our brands - same shit, everyone was teaching us how we should stick with port 22 and we are dumb etc.

Since then I went quiet on this topic (and many other topics for that matter) as all you get in return is beating plus some DDoS for good measure.

Honestly I wouldn't be too worried about it.  If they want to operate it their way then good for them.  Automated port change is irritating and in my opinion is something that should be left for the client but the fact that you took the initiative and the steps to protect your clients is probably worth much more than some randos on the internet bitching at you about it.

tldr: You do you Glen Coco

 

[HN-Matt]

For a non-troll post, you can always try 'DenyUsers'.


DenyUsers root test admin guest nobody www www-data x blah blah etc
nixCraft explains it better than I: http://www.cyberciti.biz/tips/openssh-deny-or-restrict-access-to-users-and-groups.html

 

[texteditor]

For a non-troll post, you can always try 'DenyUsers'.


DenyUsers root test admin guest nobody www www-data x blah blah etc
nixCraft explains it better than I: http://www.cyberciti.biz/tips/openssh-deny-or-restrict-access-to-users-and-groups.html

Maybe it's because I don't have a lot of SSH-enabled users on any of my VPS/servers, but I always whitelist with AllowUsers/AllowGroups and use PermitRootLogin no to keep root out

 

[HN-Matt]

Same. I've never really used 'DenyUsers' either, but it seems like an interesting extra precaution to take (i.e. I got guilt tripped into the No Joke Zone again and had to come up with something to offset the malfunctioning karmabot).

 

[Husky]

...and remember to add the new port to your firewall


iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 2345 -j ACCEPT

out before the inevitable debate on whether security through obscurity works begins.

Kinda useless without a drop rule too, unless your iptables has the INPUT chain drop by default.

In anycase hosts.deny works just as well although if you want it to silently drop I'd use iptables, I think hosts.deny returns some sort of ICMP rejection, giving a hint something is listening on that port.

 

[GalaxyHostPlus]

I would use key based auth if my panels would support it.

This few modifications for my own use for this ssh protection so far no issues for it.

 

[kunnu]

service sshd stop

And Use VNC

 

[emdad]

I would use key based auth if my panels would support it.

This few modifications for my own use for this ssh protection so far no issues for it.

Is panel supporting really necessary? It's a single line command to transfer the rsa public file and then configure no pass based access... 

cat ~/.ssh/id_rsa.pub | ssh user@IP "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"https://www.digitalocean.com/community/tutorials/how-to-set-up-ssh-keys--2