New on LowEndTalk? Please Register and read our Community Rules.
Howdy, Stranger!
It looks like you're new here. If you want to get involved, click one of these buttons!
Quick Links
Categories
In this Discussion
- 2008-2021 © LowEndBox & LowEndTalk. Privacy Policy. Powered by Vanilla.
Back to Top | LowEndTalk | LowEndBox | Dark Theme Config | Advertise
Comments
Thanks, saw it on bleepingcomputer too
Use Tailscale. It does the comment below in a foolproof way.
... and if possible, try to avoid SSH ports open to the public at all. For example, through setting up one (or better two) private, self-hosted VPN servers and add firewall rules to each server to only allow incoming SSH traffic from the VPN IPs.
Can also do port knocking as an added layer of security.
+1 with @hohl
For those too lazy to read - SSH does not have a vulnerability. Rather, someone just wrote a more efficient skiddy script. If you're using 12345 as your root password and you allow root passwords, you'll get hacked. This is really not news.
Who's the girl name?
Yes, and sorry, No. Yes, this attack does not use a vulnerability particular to SSH, but No, because it's much worse than "using 12345 as your root password and you allow root passwords".
Now to the really important part of this thread.
From description of malware it seems it is created by highly professional software developers because it use custom in-house developed protocol for communication.
https://en.wikipedia.org/wiki/Pernille_Harder_(footballer)
You may be legitimately concerned that I know this information.
hahahaa thanks
It's so simple to configure a secured SSH installation: disable password and root login. That's it. While you are at it, configure a fail2ban sshd jail. Further more, configure psad to report/auto ban port scanning. You'd be amazed at how many attempted port scanning/hacking your server got in a day.
Alas for your aspirations, according to Wikipedia she has closed her goal to men.
Is thier any way to add 2fa for ssh login?
On Saturday August 22, LowEndBox will feature a tutorial on using Google Authenticator as 2FA for your Linux ssh connections.
I feel old for that scenario port knocking is invented ... I feel old... Am I the only IT / Admin under 40 that use that .....
Supported in CSF - explained in readme.txt Paragraph 19
https://download.configserver.com/csf/readme.txt
Another solution is to listen only on IPv6. Generate a rendom IPv6 address on your VPS and use it for SSH only.
I understand by Whyyyyyyyyyyyyyyyyyyyy
(rhetorical)
Also change the port. Port scans on IPv6 are rare. But I see scanners once in a while scanning port 22 and 80 on IPv6.
Practically speaking, this increases security because there are less hacking attempts over ipv6 than ipv4, and the ipv6 address space is much bigger so it is more difficult to land on an SSH port. But still, it's security by obscurity.
This is what I implement on my servers - probably others too, on theirs.
You could even throw in
sshd: ALLin hosts.deny and chuck your preferred IPs in hosts.allow on top of it allYes, changed the port on IPv6 and also disabled password based authentication with key only login.
All off the above, plus magic candles and of course only passwords with min. 120 characters, min.12 of which must be capitals, min. 10 of which must be digits - but not add up to 66! - and min. 10 of which must be special chars.
Alternatively the local hair dressers web server can be secured by RSA-8192, DH, and a triple Rittberger while Bruce Schneier's Twofish code is recitated.
Also daily changing LE client certs should be required.
And forget about IPv6, that half witted "solution". For the local hair dressers web server to be secure we need IPv8 with 512 bit addresses plus 40 bits for ports, better even 56 bits. That'll show them attackers their limits!
I wouldn't dismiss everything above. Allowing keys only instead of just passwords is more secure...no?
Are keys always more secure? I do not think so. There are cases when keys are better and cases when passwords are better. A lot of people here working in hosting industry might consider keys to be better simply because it works well for their use case.
From technical point of view i do not see how average (still possible to remember but not 12345) password with rate limiting is worse than a key. Even considering bruteforce is attempted by botnet.
Thanks guys for psad's idea. I am using non-root + port knocking + fail2ban +different ssh port + 2FA. PSAD could help a little bit too!
Uh, you had to look that up on Wikipedia? The jersey/sport was a dead giveaway.
Keys are objectively more secure than an average password (>112 bits Vs even a strong password will be nowhere near that).
But you are looking at it from just "how strong is it against bruteforce" point of view. Passwords are weaker here, but also ratelimiting mitigates this weakness.
There are other considerations though, which in specific cases can easily make keys less secure. Especially keys with empty passwords or with 12345 passwords a lot of people use because of "but keys are so secure i do not need a password" complacency.