What are your concerns/policies regarding access to your ssh port?
Do you use only ssh keys? Do you use a jump server? Do you use a private vpn like wirguard/tailscale/zeroteir/etc?
I normally use ssh keys and allow ssh connections on non-standard ports from everywhere.
I've been testing tailscale and zerotier over the past few days, and they seem interesting, but when I reboot a server, the IP address becomes unreachable at random.
I didn't have time to dig deep into this issue and it could be faulty setup from my side!
What are your concerns/policies regarding access to your ssh port?
Do you use only ssh keys? Do you use a jump server? Do you use a private vpn like wirguard/tailscale/zeroteir/etc?
Thanks
All of the above. I have a Nebula between all my servers as well as my desktop and laptop so we can communicate with each other using keys. I have two hosts with password login + TOTP which act as jumphosts for when I'm not at my laptop/desktop ( or, uh, if I don't notice a key expiring in the nebula ).
keys only, standard port, no vpn, no jump box, no ip locking, fail2ban blocks persistent scanners. Maybe I should upgrade some of this but it hasn't been an issue afaict so far. For work boxes we are much more serious, but there are real admins running them too. Jump box istm works best if all your stuff is at a single provider like AWS, so you're less likely to have an outage at the jump host block all your stuff. Yes there are ways around that but it gets complicated.
Non-standard port, keys only, no root, raymii's cipherlist.eu, whitelist to two jumphosts on different providers. No whitelist when sshing via wireguard.
Never heard about a jump server BUT wouldn't that be putting all eggs in one basket? What happens if you forget to pay for your jump server or the IP gets changed?
RCLOUDSYSTEMS - EmailBackup and EmailSync are powerful email management and migration utilities for an unbeatable price!
Wrote a script which (cron) reads 'special' dns names and opens ports to them. Key access only and non standard port.
If I move around or an ip changes I update the dns and servers unblock.
Works really well.
[ IncogNET LLC ] - Privacy By Design We believe that privacy and freedom of expression are two very important things, so we offer solutions to accessing and publishing content safely.
[ USA: Liberty Lake, WA | Kansas City, MO | Allentown, PA ] [EU: Naaldwijk, NL ] [ CL Shared | KVM VPS | VPN | Dedicated Servers | Domain Names ]
non-standard yet privileged port to slim down the logs, then (as a general rule):
LogLevel VERBOSE
PermitRootLogin no
PasswordAuthentication no
KbdInteractiveAuthentication no
TCPKeepAlive no
Compression no
a single IP may or may not be allowed in the firewall (personal VPN rather than jump hosts) but usually it's more convenient to allow every IPs (occasional scp or rsync between different boxes)
Comments
Jump Server (whitelisted) + non-standard SSH port + keys only
Thank you:)
I normally use ssh keys and allow ssh connections on non-standard ports from everywhere.
I've been testing tailscale and zerotier over the past few days, and they seem interesting, but when I reboot a server, the IP address becomes unreachable at random.
I didn't have time to dig deep into this issue and it could be faulty setup from my side!
Well it depends on the environment and situation but that's how I do it.
Different people have different ways of doing things.
That's perfect! I have a Jump Server for convenience too.
I usually just use OpenVPN, but have ssh open as well (checking the connecting IP against a few DNS RBLs).
Random port + ssh key login + disable root login
All of the above. I have a Nebula between all my servers as well as my desktop and laptop so we can communicate with each other using keys. I have two hosts with password login + TOTP which act as jumphosts for when I'm not at my laptop/desktop ( or, uh, if I don't notice a key expiring in the nebula ).
I normally just use SSH key, I do have a secondary method password with TOTP if am on a device that doesn't have the SSH key.
I normally lock the SSH ports to a couple of IPs and then SSH Keys everything. I do have a jump box too.
Can't be bothered with changing the port, so just block it instead
BillingServ - Easy, simple, and hassle-free online invoicing solution. Contact us today.
BaseServ Certified to ISO/IEC 27001:2013
With ssh port changed, I leave port 22 alive, to let CSF block the scanning bastards!
It wisnae me! A big boy done it and ran away.
NVMe2G for life! until death (the end is nigh)
keys only, standard port, no vpn, no jump box, no ip locking, fail2ban blocks persistent scanners. Maybe I should upgrade some of this but it hasn't been an issue afaict so far. For work boxes we are much more serious, but there are real admins running them too. Jump box istm works best if all your stuff is at a single provider like AWS, so you're less likely to have an outage at the jump host block all your stuff. Yes there are ways around that but it gets complicated.
Non-standard port, keys only, no root, raymii's cipherlist.eu, whitelist to two jumphosts on different providers. No whitelist when sshing via wireguard.
Keeping a server completely offline is one way to secure a server.
♻ Amitz day is October 21.
♻ Join Nigh sect by adopting my avatar. Let us spread the joys of the end.
ticket #29387928... waiting for the provider reply to unplug the VPS energy cable
Changed port + only ssh key auth method + AllowUsers for me.
ServerStatus , slackvpn <-- openVPN auto install script for Slackware 15
I feel like this is a really personal question here. I mean who I let in my port is my business..
Tab Fitts | Founder/CEO - Spry Servers
SSD Shared Hosting || VPS || Dedicated Servers || Network Status || PHX1 LG || DAL1 LG || || AS398646 || 1-844-799-HOST (4678)
Indeed, a bit too personal to share.
♻ Amitz day is October 21.
♻ Join Nigh sect by adopting my avatar. Let us spread the joys of the end.
password, no jumpbox no nothing only maybe F2B worked wonderfully!
Crunchbits Technical Support, Technical Writer, and Sales
Contact me at: +1 (509) 606-3569 or [email protected]
I use different SSH port + port knocking + blacklisting everything that scans 22 + SSH keys on "root".
Stop the planet! I want to get off!
Never heard about a jump server BUT wouldn't that be putting all eggs in one basket? What happens if you forget to pay for your jump server or the IP gets changed?
RCLOUDSYSTEMS - EmailBackup and EmailSync are powerful email management and migration utilities for an unbeatable price!
Mentally strong people leaves SSH on port 22 where it belongs.
There's no firewall restriction.
Public key authentication required.
Accepting submissions for IPv6 less than /64 Hall of Incompetence.
Wrote a script which (cron) reads 'special' dns names and opens ports to them. Key access only and non standard port.
If I move around or an ip changes I update the dns and servers unblock.
Works really well.
Anyone uses tailscale.com?
Port 22, Root login, Password only, Allow all IPs
#YOLO
食之无味 弃之可惜 - Too arduous to relish, too wasteful to discard.
Password:
Hunter02
[ IncogNET LLC ] - Privacy By Design
We believe that privacy and freedom of expression are two very important things, so we offer solutions to accessing and publishing content safely.
[ USA: Liberty Lake, WA | Kansas City, MO | Allentown, PA ] [EU: Naaldwijk, NL ] [ CL Shared | KVM VPS | VPN | Dedicated Servers | Domain Names ]
Port 22, IPv6 only with public key auth
not recommended?
non-standard yet privileged port to slim down the logs, then (as a general rule):
LogLevel VERBOSE
PermitRootLogin no
PasswordAuthentication no
KbdInteractiveAuthentication no
TCPKeepAlive no
Compression no
a single IP may or may not be allowed in the firewall (personal VPN rather than jump hosts) but usually it's more convenient to allow every IPs (occasional scp or rsync between different boxes)
who cares! Most people do it this way and don't have backups, then cry bc their data be gone, but once again WHO CARES LOLZ?
Crunchbits Technical Support, Technical Writer, and Sales
Contact me at: +1 (509) 606-3569 or [email protected]
https://mrpsycho.pl/cheatsheets/Bash-script-for-disabling-password-login/