Policies regarding access to your ssh port?

Hi

What are your concerns/policies regarding access to your ssh port?
Do you use only ssh keys? Do you use a jump server? Do you use a private vpn like wirguard/tailscale/zeroteir/etc?

Thanks

«1

Comments

  • Jump Server (whitelisted) + non-standard SSH port + keys only

    Thanked by (1)nfn

    For domain registrations, create an account at Dynadot (ref) and spend $9.99 within 48 hours to receive $5 DynaDollars!
    Looking for cost-effective Managed/Anycast/DDoS-Protected/Geo DNS Services? Try ClouDNS (aff).

  • nfnnfn
    edited March 2022

    Thank you:)

    I normally use ssh keys and allow ssh connections on non-standard ports from everywhere.

    I've been testing tailscale and zerotier over the past few days, and they seem interesting, but when I reboot a server, the IP address becomes unreachable at random.

    I didn't have time to dig deep into this issue and it could be faulty setup from my side!

  • Well it depends on the environment and situation but that's how I do it.

    Different people have different ways of doing things.

    For domain registrations, create an account at Dynadot (ref) and spend $9.99 within 48 hours to receive $5 DynaDollars!
    Looking for cost-effective Managed/Anycast/DDoS-Protected/Geo DNS Services? Try ClouDNS (aff).

  • nfnnfn
    edited March 2022

    @TheDP said:
    Well it depends on the environment and situation but that's how I do it.

    Different people have different ways of doing things.

    That's perfect! I have a Jump Server for convenience too.

  • I usually just use OpenVPN, but have ssh open as well (checking the connecting IP against a few DNS RBLs).

  • Random port + ssh key login + disable root login

  • @nfn said:
    Hi

    What are your concerns/policies regarding access to your ssh port?
    Do you use only ssh keys? Do you use a jump server? Do you use a private vpn like wirguard/tailscale/zeroteir/etc?

    Thanks

    All of the above. I have a Nebula between all my servers as well as my desktop and laptop so we can communicate with each other using keys. I have two hosts with password login + TOTP which act as jumphosts for when I'm not at my laptop/desktop ( or, uh, if I don't notice a key expiring in the nebula ).

  • I normally just use SSH key, I do have a secondary method password with TOTP if am on a device that doesn't have the SSH key.

    Thanked by (1)mfs
  • I normally lock the SSH ports to a couple of IPs and then SSH Keys everything. I do have a jump box too.

    Can't be bothered with changing the port, so just block it instead :joy:

    BillingServ - Easy, simple, and hassle-free online invoicing solution. Contact us today.
    BaseServ Certified to ISO/IEC 27001:2013

  • With ssh port changed, I leave port 22 alive, to let CSF block the scanning bastards!

    It wisnae me! A big boy done it and ran away.
    NVMe2G for life! until death (the end is nigh)

  • keys only, standard port, no vpn, no jump box, no ip locking, fail2ban blocks persistent scanners. Maybe I should upgrade some of this but it hasn't been an issue afaict so far. For work boxes we are much more serious, but there are real admins running them too. Jump box istm works best if all your stuff is at a single provider like AWS, so you're less likely to have an outage at the jump host block all your stuff. Yes there are ways around that but it gets complicated.

    Thanked by (1)yoursunny
  • Non-standard port, keys only, no root, raymii's cipherlist.eu, whitelist to two jumphosts on different providers. No whitelist when sshing via wireguard.

  • Keeping a server completely offline is one way to secure a server.

    Thanked by (2)yoursunny bikegremlin

    ♻ Amitz day is October 21.
    ♻ Join Nigh sect by adopting my avatar. Let us spread the joys of the end.

  • nfnnfn
    edited March 2022

    @deank said:
    Keeping a server completely offline is one way to secure a server.

    ticket #29387928... waiting for the provider reply to unplug the VPS energy cable :)

  • Changed port + only ssh key auth method + AllowUsers for me.

    ServerStatus , slackvpn <-- openVPN auto install script for Slackware 15

  • I feel like this is a really personal question here. I mean who I let in my port is my business..

    Tab Fitts | Founder/CEO - Spry Servers
    SSD Shared Hosting || VPS || Dedicated Servers || Network Status || PHX1 LG || DAL1 LG || || AS398646 || 1-844-799-HOST (4678)

  • Indeed, a bit too personal to share.

    Thanked by (1)SpryServers_Tab

    ♻ Amitz day is October 21.
    ♻ Join Nigh sect by adopting my avatar. Let us spread the joys of the end.

  • skorupionskorupion Services Provider

    password, no jumpbox no nothing only maybe F2B worked wonderfully!

    Thanked by (1)lapua

    Crunchbits Technical Support, Technical Writer, and Sales
    Contact me at: +1 (347) 518-1661 or [email protected]

  • rootroot OG
    edited March 2022

    I use different SSH port + port knocking + blacklisting everything that scans 22 + SSH keys on "root".

    How are you... online?

  • Never heard about a jump server BUT wouldn't that be putting all eggs in one basket? What happens if you forget to pay for your jump server or the IP gets changed?

    RCLOUDSYSTEMS - EmailBackup and EmailSync are powerful email management and migration utilities for an unbeatable price!

  • Mentally strong people leaves SSH on port 22 where it belongs.
    There's no firewall restriction.
    Public key authentication required.

    Thanked by (2)kheng86 skorous

    ServerFactory aff best VPS; HostBrr aff best storage.

  • Wrote a script which (cron) reads 'special' dns names and opens ports to them. Key access only and non standard port.
    If I move around or an ip changes I update the dns and servers unblock.
    Works really well.

    Thanked by (1)fedor
  • Anyone uses tailscale.com?

  • Port 22, Root login, Password only, Allow all IPs

    #YOLO

  • MannDudeMannDude Hosting Provider

    @FAT32 said:
    Port 22, Root login, Password only, Allow all IPs

    #YOLO

    Password: Hunter02

    Thanked by (2)FAT32 Wonder_Woman

    [ IncogNET LLC ] - Privacy By Design
    We believe that privacy and freedom of expression are two very important things, so we offer solutions to accessing and publishing content safely.
    [ USA: Liberty Lake, WA | Kansas City, MO | Allentown, PA ] [EU: Naaldwijk, NL ] [ CL Shared | KVM VPS | VPN | Dedicated Servers | Domain Names ]

  • Port 22, IPv6 only with public key auth

  • @FAT32 said:
    Port 22, Root login, Password only, Allow all IPs

    #YOLO

    not recommended?

  • non-standard yet privileged port to slim down the logs, then (as a general rule):
    LogLevel VERBOSE
    PermitRootLogin no
    PasswordAuthentication no
    KbdInteractiveAuthentication no
    TCPKeepAlive no
    Compression no
    a single IP may or may not be allowed in the firewall (personal VPN rather than jump hosts) but usually it's more convenient to allow every IPs (occasional scp or rsync between different boxes)

  • skorupionskorupion Services Provider

    @lapua said:

    @FAT32 said:
    Port 22, Root login, Password only, Allow all IPs

    #YOLO

    not recommended?

    who cares! Most people do it this way and don't have backups, then cry bc their data be gone, but once again WHO CARES LOLZ?

    Thanked by (1)lapua

    Crunchbits Technical Support, Technical Writer, and Sales
    Contact me at: +1 (347) 518-1661 or [email protected]

Sign In or Register to comment.