I do something similar to @ouvoun's script, except via Ansible. Just have to manually configure SSH keys and install Python3 and then Ansible handles the rest. The Debian installer already asks to create a new user, so I guess that part of your script wouldn't be necessary if you install from ISO.
Maybe I should post my Ansible playbooks somewhere.
@teamacc said: I like to think NOT getting hit with brute-force attempts lightens the load on the server, by not having to deal with that pesky aspect.
Heh heh heh ... that I won't argue with but that's not really a security gain unless you're arguing it makes auditing the logs easier. I prefer iptables rate-limiting for that.
My 2 cents: If you secure your server correctly, you won't have to be afraid for those brute-force attempts. By changing the port you're merely obscuring that there is an SSH daemon running on your box. So it really is security by obscurity.
I don't change the default SSH-port because I work behind firewalls dat won't let me make an SSH-connection to a non-privileged port. I also think this is generally not a good idea.
I disable ssh root login after employing a new VM or dedi, adding a user with sudo-rights and only allowing access with keys. I setup Fail2Ban and iptables rate-limiting. Just to be sure I limit access to port 22 from a number of subnets that are well known for brute-forcing SSH (Online.net, China Telecom). That last part is security by obscurity as well of course...
On some boxes I don't want this hassle and I just limit access to SSH from my home ip-address, my work ip-address, the CGNAT subnets from my mobile provider and my other boxes.
No server I managed has ever been compromised, nor am I experiencing high load from those SSH bruteforcers.
@FAT32 said: I am low key afraid of limiting access of SSH for certain IP only because I keep thinking what if suddenly all my whitelisted IP are no longer usable? Given that no VNC, KVM or IPMI is available, that will cause more trouble and it compromised availability.
That's why IMO is crucial to have a sudo user with complex username/pasword combilation that can be used in those cases.
• If a program actually fits in memory and has enough disk space, it is guaranteed to crash.
• If such a program has not crashed yet, it is waiting for a critical moment before it crashes.
I usually perform a set of action required to score 80+ on lynis. While the score, per se, is mostly pointless, some of the suggestions aren't pointless to me. These involve:
automating install of security updates on a pre-defined day of the week (usually on Sunday), followed by a restart of the involved processes. I usually always prefer to perform updates manually, so the cron job isn't required. Yet, if I'm hit by a bus, my idling boxes will take care of themselves
remove compilers if present and not needed
disable not needed drivers (firewire, usb-storage, et al.)
harden sysctl key pairs (the list is long)
install at least a tool to record and collect system activities
entirely disable the root account (I usually just keep a sudoer/%wheel user for administrative tasks)
deploy hardened ip{,6}tables and ipsets services
I dare to harden OpenSSH too. Changing port is convenient even if it doesn't harden, a flooded log is a potentially unhelpful log (even more w/o fail2ban). I have no mandatory requirements about picking port 22 and leaving it wide open. I pick another privileged port and on top of it I restrict it to a handful of static IPs (Wireguard VPNs + office), I have no reasons to leave it open to the wide internet. If all my VPNs and my workplace gets nuked from orbit (or, more likely, if there's some exceedingly unexpected OpenSSH configuration error) there's an emergency rate-limited and filtered dropbear instance listening on an IPv6-only privileged port. Range scans are invariably caught with an ip{,6}tables "recent" module, the most obnoxious and notorious offenders are dealt with ipsets, using (highly conservative) blocklists too.
@FAT32 said:
I am low key afraid of limiting access of SSH for certain IP only because I keep thinking what if suddenly all my whitelisted IP are no longer usable? Given that no VNC, KVM or IPMI is available, that will cause more trouble and it compromised availability.
Well, you limit it, to multiple gateways, not just one.
@yoursunny said:
I have no firewall, no SSH port change, no fail2ban. I just disabled password login. Why am I not hacked?
Or, am I already hacked but I don't know?
You're fine mate, as long as you're only idling the ssh daemon on a public port, and no other.
Most of my boxen are double duty and rsync over default ssh port is too important to give up. I use 3 trylimit fail2ban and a multiday bantime in order to keep my logs legible.
@yoursunny said:
I have no firewall, no SSH port change, no fail2ban. I just disabled password login. Why am I not hacked?
Or, am I already hacked but I don't know?
You're fine mate, as long as you're only idling the ssh daemon on a public port, and no other.
I also have nginx on 80 and 443.
I moved Asterisk to 15060. Someone keeps trying different SIP passwords, wanting to make long distance calls. My passwords are randomly generated so they can't succeed, and I only have $1 long distance credit. I changed port because Asterisk log file fills the disk every 3 days and then the server crashes.
Most of my boxen are double duty and rsync over default ssh port is too important to give up. I use 3 trylimit fail2ban and a multiday bantime in order to keep my logs legible.
I have virtual machines (VirtualBox in university servers, not VPS) on alternate ports. I use $HOME/.ssh/config to set the ports. rsync and everything else work fine.
ACHTUNG!
ALLES TURISTEN UND NONTEKNISCHEN LOOKENSPEEPERS!
DAS KOMPUTERMASCHINE IST NICHT FÜR DER GEFINGERPOKEN UND MITTENGRABEN! ODERWISE IST EASY TO SCHNAPPEN DER SPRINGENWERK, BLOWENFUSEN UND POPPENCORKEN MIT SPITZENSPARKEN.
IST NICHT FÜR GEWERKEN BEI DUMMKOPFEN. DER RUBBERNECKEN SIGHTSEEREN KEEPEN DAS COTTONPICKEN HÄNDER IN DAS POCKETS MUSS.
ZO RELAXEN UND WATSCHEN DER BLINKENLICHTEN.
@terrorgen said: Install zerotier, add new vps to my zerotier network, close all firewall ports except from zerotier.
I am curious, is this different from an OpenVPN jump box setup?
Zerotier is a mesh VPN, so it's more like a private P2P network. Traffic doesn't have to go through a central server. It's also a hosted service, so you don't have to keep your own box working.
Tinc and Wireguard are similar.
I keep meaning to get a wireguard network setup, and see if I can get rid of the IPSec/OpenVPN monstrosity at work.
ACHTUNG!
ALLES TURISTEN UND NONTEKNISCHEN LOOKENSPEEPERS!
DAS KOMPUTERMASCHINE IST NICHT FÜR DER GEFINGERPOKEN UND MITTENGRABEN! ODERWISE IST EASY TO SCHNAPPEN DER SPRINGENWERK, BLOWENFUSEN UND POPPENCORKEN MIT SPITZENSPARKEN.
IST NICHT FÜR GEWERKEN BEI DUMMKOPFEN. DER RUBBERNECKEN SIGHTSEEREN KEEPEN DAS COTTONPICKEN HÄNDER IN DAS POCKETS MUSS.
ZO RELAXEN UND WATSCHEN DER BLINKENLICHTEN.
ACHTUNG!
ALLES TURISTEN UND NONTEKNISCHEN LOOKENSPEEPERS!
DAS KOMPUTERMASCHINE IST NICHT FÜR DER GEFINGERPOKEN UND MITTENGRABEN! ODERWISE IST EASY TO SCHNAPPEN DER SPRINGENWERK, BLOWENFUSEN UND POPPENCORKEN MIT SPITZENSPARKEN.
IST NICHT FÜR GEWERKEN BEI DUMMKOPFEN. DER RUBBERNECKEN SIGHTSEEREN KEEPEN DAS COTTONPICKEN HÄNDER IN DAS POCKETS MUSS.
ZO RELAXEN UND WATSCHEN DER BLINKENLICHTEN.
I sit down and eat.
The eating gives power.
Power makes you strong!
Stong is force!
Force is acceleration times mass!
Mass is energy divided by the speed of light, squared.
If the acceleration is at the speed of light, then force equals energy!
The more one eats, the more omnipotent and conglomerated becomes.
ACHTUNG!
ALLES TURISTEN UND NONTEKNISCHEN LOOKENSPEEPERS!
DAS KOMPUTERMASCHINE IST NICHT FÜR DER GEFINGERPOKEN UND MITTENGRABEN! ODERWISE IST EASY TO SCHNAPPEN DER SPRINGENWERK, BLOWENFUSEN UND POPPENCORKEN MIT SPITZENSPARKEN.
IST NICHT FÜR GEWERKEN BEI DUMMKOPFEN. DER RUBBERNECKEN SIGHTSEEREN KEEPEN DAS COTTONPICKEN HÄNDER IN DAS POCKETS MUSS.
ZO RELAXEN UND WATSCHEN DER BLINKENLICHTEN.
ACHTUNG!
ALLES TURISTEN UND NONTEKNISCHEN LOOKENSPEEPERS!
DAS KOMPUTERMASCHINE IST NICHT FÜR DER GEFINGERPOKEN UND MITTENGRABEN! ODERWISE IST EASY TO SCHNAPPEN DER SPRINGENWERK, BLOWENFUSEN UND POPPENCORKEN MIT SPITZENSPARKEN.
IST NICHT FÜR GEWERKEN BEI DUMMKOPFEN. DER RUBBERNECKEN SIGHTSEEREN KEEPEN DAS COTTONPICKEN HÄNDER IN DAS POCKETS MUSS.
ZO RELAXEN UND WATSCHEN DER BLINKENLICHTEN.
ACHTUNG!
ALLES TURISTEN UND NONTEKNISCHEN LOOKENSPEEPERS!
DAS KOMPUTERMASCHINE IST NICHT FÜR DER GEFINGERPOKEN UND MITTENGRABEN! ODERWISE IST EASY TO SCHNAPPEN DER SPRINGENWERK, BLOWENFUSEN UND POPPENCORKEN MIT SPITZENSPARKEN.
IST NICHT FÜR GEWERKEN BEI DUMMKOPFEN. DER RUBBERNECKEN SIGHTSEEREN KEEPEN DAS COTTONPICKEN HÄNDER IN DAS POCKETS MUSS.
ZO RELAXEN UND WATSCHEN DER BLINKENLICHTEN.
Comments
I do not need statefull connection tracking firewall (performance reasons)
If you use iptbales, just add a custom iptables rule in RAW table and mark everything as non tracking.
Install zerotier, add new vps to my zerotier network, close all firewall ports except from zerotier.
The all seeing eye sees everything...
I do something similar to @ouvoun's script, except via Ansible. Just have to manually configure SSH keys and install Python3 and then Ansible handles the rest. The Debian installer already asks to create a new user, so I guess that part of your script wouldn't be necessary if you install from ISO.
Maybe I should post my Ansible playbooks somewhere.
Daniel15 | https://d.sb/. List of all my VPSes: https://d.sb/servers
dnstools.ws - DNS lookups, pings, and traceroutes from 30 locations worldwide.
My 2 cents: If you secure your server correctly, you won't have to be afraid for those brute-force attempts. By changing the port you're merely obscuring that there is an SSH daemon running on your box. So it really is security by obscurity.
I don't change the default SSH-port because I work behind firewalls dat won't let me make an SSH-connection to a non-privileged port. I also think this is generally not a good idea.
I disable ssh root login after employing a new VM or dedi, adding a user with sudo-rights and only allowing access with keys. I setup Fail2Ban and iptables rate-limiting. Just to be sure I limit access to port 22 from a number of subnets that are well known for brute-forcing SSH (Online.net, China Telecom). That last part is security by obscurity as well of course...
On some boxes I don't want this hassle and I just limit access to SSH from my home ip-address, my work ip-address, the CGNAT subnets from my mobile provider and my other boxes.
No server I managed has ever been compromised, nor am I experiencing high load from those SSH bruteforcers.
I am curious, is this different from an OpenVPN jump box setup?
My Personal Blog | Currently Building LoadMyCode
They might be similar. But zerotier is way easier to configure than openvpn though.
The all seeing eye sees everything...
That's why IMO is crucial to have a sudo user with complex username/pasword combilation that can be used in those cases.
• If a program actually fits in memory and has enough disk space, it is guaranteed to crash.
• If such a program has not crashed yet, it is waiting for a critical moment before it crashes.
I usually perform a set of action required to score 80+ on lynis. While the score, per se, is mostly pointless, some of the suggestions aren't pointless to me. These involve:
And more:
I dare to harden OpenSSH too. Changing port is convenient even if it doesn't harden, a flooded log is a potentially unhelpful log (even more w/o fail2ban). I have no mandatory requirements about picking port 22 and leaving it wide open. I pick another privileged port and on top of it I restrict it to a handful of static IPs (Wireguard VPNs + office), I have no reasons to leave it open to the wide internet. If all my VPNs and my workplace gets nuked from orbit (or, more likely, if there's some exceedingly unexpected OpenSSH configuration error) there's an emergency rate-limited and filtered dropbear instance listening on an IPv6-only privileged port. Range scans are invariably caught with an ip{,6}tables "recent" module, the most obnoxious and notorious offenders are dealt with ipsets, using (highly conservative) blocklists too.
Then, I power it off.
I normally do this as well:
Deals and Reviews: LowEndBoxes Review | Avoid dodgy providers with The LEBRE Whitelist | Free hosting (with conditions): Evolution-Host, NanoKVM, FreeMach, ServedEZ | Get expert copyediting and copywriting help at The Write Flow
Well, you limit it, to multiple gateways, not just one.
Free NAT KVM | Free NAT LXC | Bobr
ITS WEDNESDAY MY DUDES
I have no firewall, no SSH port change, no fail2ban. I just disabled password login. Why am I not hacked?
Or, am I already hacked but I don't know?
Accepting submissions for IPv6 less than /64 Hall of Incompetence.
That script is just missing a few steps to cover all I need:
I may add some additional jails on fail2ban depending on what services are running on the server.
Bench script
Action and Reaction in history
Probably tie a yellow wrist ribbon somewhere?
The all seeing eye sees everything...
You're fine mate, as long as you're only idling the ssh daemon on a public port, and no other.
Most of my boxen are double duty and rsync over default ssh port is too important to give up. I use 3 trylimit fail2ban and a multiday bantime in order to keep my logs legible.
I also have nginx on 80 and 443.
I moved Asterisk to 15060. Someone keeps trying different SIP passwords, wanting to make long distance calls. My passwords are randomly generated so they can't succeed, and I only have $1 long distance credit. I changed port because Asterisk log file fills the disk every 3 days and then the server crashes.
I have virtual machines (VirtualBox in university servers, not VPS) on alternate ports. I use
$HOME/.ssh/config
to set the ports. rsync and everything else work fine.Accepting submissions for IPv6 less than /64 Hall of Incompetence.
I see what you did there ...
HS4LIFE (+ (* 3 4) (* 5 6))
Zerotier is a mesh VPN, so it's more like a private P2P network. Traffic doesn't have to go through a central server. It's also a hosted service, so you don't have to keep your own box working.
Tinc and Wireguard are similar.
I keep meaning to get a wireguard network setup, and see if I can get rid of the IPSec/OpenVPN monstrosity at work.
Is this real German or fake German?
The all seeing eye sees everything...
hörbar lachen
sicher, das ist kein Hochdeutsch!
HS4LIFE (+ (* 3 4) (* 5 6))
I sit down and eat.
The eating gives power.
Power makes you strong!
Stong is force!
Force is acceleration times mass!
Mass is energy divided by the speed of light, squared.
If the acceleration is at the speed of light, then force equals energy!
The more one eats, the more omnipotent and conglomerated becomes.
It’s fake.
I have this banner (which is the opposite) ?
Thanks. I know it is off but not sure.
The all seeing eye sees everything...
From the wiki about blinkenlights..
Probably still got one of those (a 3rd party one) stuffed in a drawer someplace. :-o
It wisnae me! A big boy done it and ran away.
NVMe2G for life! until death (the end is nigh)
All I do is
apt update && apt upgrade -y
apt install fail2ban
That's it ?
Disable network, and request for data center rack access everytime I need to SSSH in the vps.
I bench YABS 24/7/365 unless it's a leap year.
Sprache Sie Deutsch?
The all seeing eye sees everything...
Nur ein kleiner Schnurrbart
HS4LIFE (+ (* 3 4) (* 5 6))
Gutentag. My German is prem.
Nexus Bytes Ryzen Powered NVMe VPS | NYC|Miami|LA|London|Netherlands| Singapore|Tokyo
Storage VPS | LiteSpeed Powered Web Hosting + SSH access | Switcher Special |
Right so uptime speaks German. The rest are well versed in Hollywood's idea of evil German villain