Policies regarding access to your ssh port?

Hi

What are your concerns/policies regarding access to your ssh port?
Do you use only ssh keys? Do you use a jump server? Do you use a private vpn like wirguard/tailscale/zeroteir/etc?

Thanks

«1

Comments

  • Jump Server (whitelisted) + non-standard SSH port + keys only

    Thanked by (1)nfn

    Create an account on Dynadot via my referral link and spend $9.99 within 48 hours to receive $5 DynaDollars!

  • nfnnfn
    edited March 19

    Thank you:)

    I normally use ssh keys and allow ssh connections on non-standard ports from everywhere.

    I've been testing tailscale and zerotier over the past few days, and they seem interesting, but when I reboot a server, the IP address becomes unreachable at random.

    I didn't have time to dig deep into this issue and it could be faulty setup from my side!

  • Well it depends on the environment and situation but that's how I do it.

    Different people have different ways of doing things.

    Create an account on Dynadot via my referral link and spend $9.99 within 48 hours to receive $5 DynaDollars!

  • nfnnfn
    edited March 19

    @TheDP said:
    Well it depends on the environment and situation but that's how I do it.

    Different people have different ways of doing things.

    That's perfect! I have a Jump Server for convenience too.

  • I usually just use OpenVPN, but have ssh open as well (checking the connecting IP against a few DNS RBLs).

  • Random port + ssh key login + disable root login

  • @nfn said:
    Hi

    What are your concerns/policies regarding access to your ssh port?
    Do you use only ssh keys? Do you use a jump server? Do you use a private vpn like wirguard/tailscale/zeroteir/etc?

    Thanks

    All of the above. I have a Nebula between all my servers as well as my desktop and laptop so we can communicate with each other using keys. I have two hosts with password login + TOTP which act as jumphosts for when I'm not at my laptop/desktop ( or, uh, if I don't notice a key expiring in the nebula ).

  • I normally just use SSH key, I do have a secondary method password with TOTP if am on a device that doesn't have the SSH key.

    Thanked by (1)mfs
  • I normally lock the SSH ports to a couple of IPs and then SSH Keys everything. I do have a jump box too.

    Can't be bothered with changing the port, so just block it instead :joy:

    BillingServ - Easy, simple, and hassle-free online invoicing solution. Contact us today.
    BaseServ Certified to ISO/IEC 27001:2013

  • With ssh port changed, I leave port 22 alive, to let CSF block the scanning bastards!

    lowendinfo.com had no interest.

  • keys only, standard port, no vpn, no jump box, no ip locking, fail2ban blocks persistent scanners. Maybe I should upgrade some of this but it hasn't been an issue afaict so far. For work boxes we are much more serious, but there are real admins running them too. Jump box istm works best if all your stuff is at a single provider like AWS, so you're less likely to have an outage at the jump host block all your stuff. Yes there are ways around that but it gets complicated.

    Thanked by (1)yoursunny
  • Non-standard port, keys only, no root, raymii's cipherlist.eu, whitelist to two jumphosts on different providers. No whitelist when sshing via wireguard.

  • Keeping a server completely offline is one way to secure a server.

    Thanked by (2)yoursunny bikegremlin

    ♻ Amitz day is October 21.
    ♻ Join Nigh sect by adopting my avatar. Let us spread the joys of the end.

  • nfnnfn
    edited March 19

    @deank said:
    Keeping a server completely offline is one way to secure a server.

    ticket #29387928... waiting for the provider reply to unplug the VPS energy cable :)

  • Changed port + only ssh key auth method + AllowUsers for me.

    Main , ServerStatus , slackvpn <-- openVPN auto install script for Slackware 15

  • SpryServers_TabSpryServers_Tab Hosting ProviderOG

    I feel like this is a really personal question here. I mean who I let in my port is my business..

    Tab Fitts | Founder/CEO - Spry Servers
    SSD Shared Hosting || VPS || Dedicated Servers || Network Status || PHX1 LG || DAL1 LG || || AS398646 || 1-844-799-HOST (4678)

  • Indeed, a bit too personal to share.

    Thanked by (1)SpryServers_Tab

    ♻ Amitz day is October 21.
    ♻ Join Nigh sect by adopting my avatar. Let us spread the joys of the end.

  • password, no jumpbox no nothing only maybe F2B worked wonderfully!

    Thanked by (1)lapua

    Signature currently under construction
    Sorry for the inconvenience

  • rootroot OG
    edited March 20

    I use different SSH port + port knocking + blacklisting everything that scans 22 + SSH keys on "root".

  • Never heard about a jump server BUT wouldn't that be putting all eggs in one basket? What happens if you forget to pay for your jump server or the IP gets changed?

    https://onddns.com - FREE Dynamic Realtime DNS powered by 10 DDoS protected servers around the world!

  • Mentally strong people leaves SSH on port 22 where it belongs.
    There's no firewall restriction.
    Public key authentication required.

    Thanked by (2)kheng86 skorous

    Hammer the cores and blast the ports with no mercy.

  • Wrote a script which (cron) reads 'special' dns names and opens ports to them. Key access only and non standard port.
    If I move around or an ip changes I update the dns and servers unblock.
    Works really well.

    Thanked by (1)fedor
  • Anyone uses tailscale.com?

  • Port 22, Root login, Password only, Allow all IPs

    #YOLO

    "Humanity is f*cked up" - Jay

  • MannDudeMannDude Hosting Provider

    @FAT32 said:
    Port 22, Root login, Password only, Allow all IPs

    #YOLO

    Password: Hunter02

    Thanked by (2)FAT32 Wonder_Woman

    [ IncogNET LLC ] - Privacy By Design
    We believe that privacy and freedom of expression are two very important things, so we offer solutions to accessing and publishing content safely.
    Our current coupons, discounts, and promotions: https://incognet.io/web-hosting-coupons

  • Port 22, IPv6 only with public key auth

  • @FAT32 said:
    Port 22, Root login, Password only, Allow all IPs

    #YOLO

    not recommended?

  • non-standard yet privileged port to slim down the logs, then (as a general rule):
    LogLevel VERBOSE
    PermitRootLogin no
    PasswordAuthentication no
    KbdInteractiveAuthentication no
    TCPKeepAlive no
    Compression no
    a single IP may or may not be allowed in the firewall (personal VPN rather than jump hosts) but usually it's more convenient to allow every IPs (occasional scp or rsync between different boxes)

  • @lapua said:

    @FAT32 said:
    Port 22, Root login, Password only, Allow all IPs

    #YOLO

    not recommended?

    who cares! Most people do it this way and don't have backups, then cry bc their data be gone, but once again WHO CARES LOLZ?

    Thanked by (1)lapua

    Signature currently under construction
    Sorry for the inconvenience

Sign In or Register to comment.