TIP: Click on subject to list as thread! ANSI
echo: rberrypi
to: THE NATURAL PHILOSOPHER
from: ALISTER
date: 2020-10-28 09:35:00
subject: Re: Anydesk on raspi
On Wed, 28 Oct 2020 08:54:44 +0000, The Natural Philosopher wrote:

> On 28/10/2020 08:22, druck wrote:
>> On 27/10/2020 17:53, The Natural Philosopher wrote:
>>> On 27/10/2020 16:35, Scott Alfter wrote:
>>>> In article ,
>>>> The Natural Philosopher   wrote:
>>>>> I have sshd running wide open on two public servers. Although they
>>>>> are attacked constantly - several per second attempts - no one has
>>>>> ever guessed my username and password, which is the only one that
>>>>> allows a login...
>>>>
>>>> If you're logging into a public-facing server with your password,
>>>> you're doing it wrong.  Read up on SSH public-key authentication, and
>>>> set it up.
>>>> It's easy, and it's more secure than passwords.
>>
>> Seconded.
>>
>>> I use that mostly, yes. But I leave the odd backdoor open for when I
>>> am away from all devices that I own...
>>>
>>>
>>>> Also, if you don't already have it, set up fail2ban.  It'll ban IPs
>>>> that hammer your SSH server.
>>
>> A lighter weight alternative if you only have a limited set of ports
>> exposed to the world is sshguard.
>>
>>> To be honest, I am not sure that the fail2ban uses any less cycles
>>> than sshd when rejecting rubbish
>>>
>>>
>>> Let's put it this way. The amount of CPU and RAM used in rejecting
>>> ratware is less than is used in rejecting attempts to sntp relay and
>>> so on.
>>
>> Rejecting the connection at IP firewall level takes far less resources
>> then allowing an ssh session to be negotiated then failing after the
>> other end tries to login as root with a number of different common
>> passwords.
>>
>>> I make a point of not fixing problems I don't have.
>>
>> See how big your auth log can get to if you don't.
>
> Again, there is no shortage of disk space and it gets rotated.
>
>
>> ---druck
>>

Failtoban effectively shuts the port, which, if the hacker is monitoring
what is happening lets him know that he cannot make any further attempts
which will stop him bothering your system & move on.
This should reduce the amount of waisted traffic your network has to deal
with.

it also reduces the time available for the hacker to identify any ssh
exploits that may have been discovered

Security in depth.



--
Be sociable. Speak to the person next to you in the unemployment line
tomorrow.

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | FidoUsenet Gateway (3:770/3)
SOURCE: echomail via QWK@docsplace.org

Email questions or comments to sysop@ipingthereforeiam.com
All parts of this website painstakingly hand-crafted in the U.S.A.!
IPTIA BBS/MUD/Terminal/Game Server List, © 2025 IPTIA Consulting™.