New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
suorsudo. SSH to relevant user accounts directly using a distinct session. UNIX security is a jokeWhat? Can you clarify what you mean?
What exactly do you think 2FA protects against in this scenario? Are you worried that somebody's gonna crack your RSA or ECC key?
HEY EVERYONE! DON'T BE A FOOL! DO NOT ANSWER THE QUESTIONS!
You are helping @vitobotta with his homework. This is his latest assignment: "Social Engineering - Research the Target" from the Offensive Security course that he enrolled in.
(Alright, just kidding. Repeating: Only joking.)
.
Am I the only paranoid security-oriented person here who has noticed a sudden spike in social engineering threads that gather answers to personal secrets on LowEndTalk: "Favorite snacks?", "What's your ride?", "What are you listening to?", and my favorite, "What's your weight?"
... and ones fingerprinting your equipment and services: "What home router do you use?", "What's your connection speed and how much do you pay for it?"
Yeah, only kidding about that, too.
😂
When we got out of Datacenter.
We disconnect internet. Guess what?
Most and best security pratice. You have peace in night and in the evening probably you won't be hacked or have any issue.
Disconnecting the internet can be stupid but is one of most powerful things you can do. No worries about who will access your server or brute force.
I hope this helps you.
Just have a secure sshd config and only use SSH keys. Anything more is security by obscurity.
If someone is cracking your SSH keys with a quantum computer then you have much bigger things to worry about...
If you are on Debian/Ubuntu - Enable
unattended-upgradesTrue, github still does not fully support ipv6, and they are constantly mocked for it. Not really a club I would aspire to join.
Actually, people in general doesn't give a f*ck if they use ip4, ipv6 or ethernet over carrierpidgeon, as long as they get their tiktok or facetube or whatever. They do not choose at all, they type in the URL and hit enter. But if they use Windows and have a decently modern router, chances are they use ipv6 atleast locally. Beyond that their provider choose for them, and unfortunately some providers are still stuck in their old ways.
The reason usage is "only" 40% is in no small part due to some major US providers being hopelessly behind. In EU on the other hand providers are starting to go ipv6 only and are using 6to4 to reach the legacy sites.
If I remember correctly you are from the UK, right? What fiber provider in the UK still doesn't have ipv6?
But this is off topic, I think there are plenty of threads already if we want to discuss ipv6.
I usually just pray it never happens because i'm too lazy to do all that
Just use Tailscale SSH and don't bother setting up anything else.
If you don't restrict port 22 over a private VPN then you always have the risk of being exploited through OpenSSH vulnerabilities. This also prevent any bots from hammering your SSH or brute forcing their way in. You don't take chances with security.
Don't follow these dumb suggestions to change port 22, port knocking, keeping ssh over ipv6 only or adding new modules to SSH server (unknown vulnerabilities).
But are you also blocking IPs except cloudflare or using authenticated origin pulls to ensure that bots cannot DDoS or bypass Cloudflare WAF?
I don't use Docker. But I assume that you should be able to harden Docker via apparmor instead of the container services. May be run docker without root access.
@Merakith I will look into Tailscale SSH.
Today I set up Crowdsec on my two servers, and it's nice. I configured two bouncers, one for the local firwall and the other for Cloudflare's firewall.
How far do you want to take this?
Put the servers in a Tempest facility (SCIF). All devices in the nearby secure offices that connect to the servers must be Tempest-rated terminals or computers. The connections must be fiber optic cables. Power to the facility and terminals/computers is regulated and filtered, of course.
Patrol the secured area with live, armed guards.
Disconnect the internet. Actually, never connect the internet. :-)
Sound like it might be fun to work in such a place? It isn't. (P.S. ... and do not accidentally bring any documents home, either!)
Did you know the irony right? Everything is not fully secure. If someone skilled join in it.
Just watch Fortinet Guard / Firewall CVEs.. Critical CVEs and they pay to be advertised everywhere...
Yes, I knew the irony. Facilities like I described actually exist, but they are not connected to the internet. They are highly secure. They are not fun to work in - they are in buildings with no windows and many restrictions.
Vodafone. Probably the provider with the most fibre coverage right now.
When I get a new VPS or Dedicated server I always do the fallowing for security reason.
1 - add a user.
2- change the port 22 and Install Fail2ban.
3 - disable root login in etc ssh sshd config.
4 - Add AllowUsers user@myIP., I only allow SSH login from my home IP in etc/ssh/sshd_config.
5 - setup SSH login alert email.
This type of thread has been discussed so many times. Why we keep going around?
A good password, close ports, whitelist in FW only specific IP's. Don't have static IP at your home network? Use a jump box. Can't get f* if your ports are closed by firewall.
If using the recommended providers: Digital Ocean, Linode, Vultr, they all have cloud firewalls. Configure those, same logic applies, close ports, whitelist your jumpbox IP. When deploying associate cloud firewall with VM, done. Want more? enable your OS firewall too as secondary layer in case cloud firewall fails.
Anyway if using key to access your Server instead of passwords, make sure to password protect your private key. In case it get's leaked they have to know the password to use it...
blah blah
I'm too lazy to pray. I like more to configure servers.
In addition to what you described, you can also do the following:
1) block all ports on the firewall except those used by the server
2) set up port knocking on the SSH port
3) set up email notifications about logging in to root (or another user
who has great privileges)
This is all superfluous. Changing the SSH port is security by obscurity. Just use PubkeyAuthentication and turn the PasswordAuthentication off. But even if you don't, it's not an issue if you set a random password with >100 bits of entropy for all users that can log in via SSH, all kinds of brute force attacks are pointless then.
The real threats are:
So you change the risk of being exploited through OpenSSH vulnerabilities to the the risk of being exploited through OpenVPN vulnerabilities (if it's something like ACE). In this case I would rather trust OpenSSH tbh.
I was referring to WireGuard. It's just 4000 lines of code compared to OpenSSH's 140K lines of code. Wireguard is easier to audit imo and have a decent track record.
I just stopped exposing SSH to the Internet, and am now using a Cloudflare tunnel to SSH into the servers, still with OTP codes required. This was super easy to configure.
140K... holy cow
That sounds interesting.
I haven't checked Tailscale SSH as others suggested because I use Cloudflare for several things already and this tunnel stuff couldn't be easier really
Plot twist: you're right.
are you dealing with super confidential data? what you already listed are all overkill, it is secure sir. :-) but those data are not safe when the drive itself is compromised.
Well just personal data but of course it's confidential. Yeah the drives unfortunately are not encrypted. I haven't done that because it's a bit of a hassle when setting up virtual servers