New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
It is same. Just matter of time.
No. Leaving SSH on port 22 means NO scan is needed. You'll decrease the amount of random attackers with this change alone. Anyone who has the target as a specific target and not just "doors unlocked, I think I'll walk in" will scan ALL ports to look for many/any vulnerability rather than a skid script scanning the Internet.
It's a reduction in attack surface, not a complete block of attack surface.
There's a number of whitepapers describing this myth. And several RFC's to try and address that.
Same with moving HTTPS to a port other than 443, yet nobody does that.
I mean I kinda agree with you, but there's very fast port scanning tools especially if you only scan privileged ports (<1024), so the actual impact these days isn't as large as it used to be.
I run all my servers with SSH on port 22, but with keys only (
PasswordAuthentication no
) and fail2ban is configured to block people for one week after 5 unsuccessful attempts ¯\_(ツ)_/¯What? No, you're wrong. Publicly accessible services should be on the publicly assigned port for obvious reasons. Private use does not. Every NMS I use is not on 443 by default. Stuff on internal networks are often on non-443 ports. The amount of 443 stuff on 8443 and 8888, 8080, etc is substantial.
To be clear, moving SSH port is not an "either/or" with using fail2ban. Using both is better than either alone (I use both changing port and fail2ban and permanent ban, none of this pussy one week timeouts ).
I'm worried about locking myself out hahaha. Sure I could VNC in, but typing a long password over VNC is not ideal. Maybe there's a VNC client that supports pasting by emulating keypresses though? Also some IPs are shared very widely (eg some companies have all their outbound VPN traffic route via just a few IPs) so I didn't want to overly use permabans.
I haven't seen much stuff on non-standard HTTP ports for a while, but admittedly I don't use a lot of internal-only stuff so I believe you.
I do run some stuff on non-standard ports though, usually things I don't want to proxy through nginx. All the DNSTools workers are on port 54561 for example (https://github.com/Daniel15/dnstools/blob/bcf9a9c6533706f2f1dcd8cc0f73bbe0495048dd/src/DnsTools.Web/Services/WorkerProvider.cs#L105) as not all of them run Nginx (particularly the 128 MB VPSes)
It's happened to me on setting up freshly imaged servers. That's why the script I use to install stuff also whitelists my home IP and others. And would you ever wait 1 week to reconnect? No, then it's trade-off between reducing the ban time and entering a 16 character password over VNC. But my home IP and some other long time server IP's aren't going to change where it's a good solution for me.
I think there's ways to get the VNC address out of the html and then just use a VNC client with password saving. Might be certain panels.
I was wondering if you meant the opposite, where services are setup on nonstandard ports since they are being proxied by nginx (typically running SNI on 443). Anywho, just shows everyone has different use cases.