On 28/10/2020 09:35, alister wrote:
> On Wed, 28 Oct 2020 08:54:44 +0000, The Natural Philosopher wrote:
>
>> On 28/10/2020 08:22, druck wrote:
>>> On 27/10/2020 17:53, The Natural Philosopher wrote:
>>>> On 27/10/2020 16:35, Scott Alfter wrote:
>>>>> In article ,
>>>>> The Natural Philosopher wrote:
>>>>>> I have sshd running wide open on two public servers. Although they
>>>>>> are attacked constantly - several per second attempts - no one has
>>>>>> ever guessed my username and password, which is the only one that
>>>>>> allows a login...
>>>>>
>>>>> If you're logging into a public-facing server with your password,
>>>>> you're doing it wrong. Read up on SSH public-key authentication, and
>>>>> set it up.
>>>>> It's easy, and it's more secure than passwords.
>>>
>>> Seconded.
>>>
>>>> I use that mostly, yes. But I leave the odd backdoor open for when I
>>>> am away from all devices that I own...
>>>>
>>>>
>>>>> Also, if you don't already have it, set up fail2ban. It'll ban IPs
>>>>> that hammer your SSH server.
>>>
>>> A lighter weight alternative if you only have a limited set of ports
>>> exposed to the world is sshguard.
>>>
>>>> To be honest, I am not sure that the fail2ban uses any less cycles
>>>> than sshd when rejecting rubbish
>>>>
>>>>
>>>> Let's put it this way. The amount of CPU and RAM used in rejecting
>>>> ratware is less than is used in rejecting attempts to sntp relay and
>>>> so on.
>>>
>>> Rejecting the connection at IP firewall level takes far less resources
>>> then allowing an ssh session to be negotiated then failing after the
>>> other end tries to login as root with a number of different common
>>> passwords.
>>>
>>>> I make a point of not fixing problems I don't have.
>>>
>>> See how big your auth log can get to if you don't.
>>
>> Again, there is no shortage of disk space and it gets rotated.
>>
>>
>>> ---druck
>>>
>
> Failtoban effectively shuts the port, which, if the hacker is monitoring
> what is happening lets him know that he cannot make any further attempts
> which will stop him bothering your system & move on.
> This should reduce the amount of waisted traffic your network has to deal
> with.
>
> it also reduces the time available for the hacker to identify any ssh
> exploits that may have been discovered
>
> Security in depth.
>
>
>
As I said, in ten years up, no breakins. I dont fix nonexistent problems
--
“The urge to save humanity is almost always only a false face for the
urge to rule it.”
– H. L. Mencken
--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | FidoUsenet Gateway (3:770/3)
|