New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
my goto setup is just plain old ssh on 22, keys(only on production servers), and fail2ban to ban the sus IP after three failed attempt for a month or two if not for a year.. And it works all the time.
Agreed. I leave SSHd on 22 for outbound firewall restrictions blocking non-common ports on some networks.
Leave fail2ban and similar disabled because,
If there is something going on with my hardware key, I've been locked out before I grt it fixed..
1st failure because of random issue
2nd failure after starting the agent because most commonly it isn't running is the cause of failure
3rd failure after restarting the agent
Blocked by firewall rule, has happened too many times..
Didn't get to remove and re-insert
or
remove, kill agent, insert key, start agent, and try connecting again.
Turning off passwords instantly stops the bots. They try once and move on.
So the key for perfect protection is to disable password login?
SSHd wise, yes.
As for securing your VPS, it depends what other software you have installed and running.
Bad versions of log4j, doesn't matter if SSHd is secure.
That just stops the easy bots, the real dangerous bots are always trying different tactics. Most common 'easy' target is port 22 ssh and easy password so most bots try for that
Everyone says use a VPN, but than your not exposing or depending on the security of SSH, you now depending on whatever VPN your using and your still exposing it to the internet. Your just pushing security onto another application that could be worse.
If you don't want to expose something to the internet, you can firewall the port to only allow your IPs to it. Disadvantage of you can't SSH from anywhere anymore and now putting security on the firewall, but well known and tested ones are probably more secure than SSH and any VPN.
Agreed, this stops easy/dumb bots.Turning off passwords doesn't stop bots as I had one bot trying on a VPS I had that I changed the ssh port on. Fail2ban use to be after 10 tries and only an hour. I saw it banned something one day and checked logs and the bot was trying every hour. I bumped down to 3 fails and changed time to a month. Never saw it in the logs again leading up the months I didn't renew.
Don't even think it was trying random keys, just random usernames and passwords. Only one user on the vps was allowed to ssh and it wasn't root.
For maximum protection you could turn it off
As far as I know WireGuard is silent if you don't have the correct key. Plus I'd say WireGuard has smaller attack surface than the SSH daemon. And what if your ISP decides to change your IP one day (or you already have a rotating or if you travel?
To complete other's use a WAF for the websites you host with the vps , also create iptables rules that only lets the WAF access your website , so that you do not expose your ip.
hope it helps
Security are just 2 types when it comes to vps.
First is access to your server. So you have make sure to have proper ssh auth, no weak passes. Or better of all that I recommend everyone just whitelist vpn or home ip to ssh.
Second is application based security. This depends what you're running on the vps and this may vary.
All other guides are probably useless if you just want to set it up simply.
The easiest thing would be to use Tailscale and only bind your outbound ports to your Tailnet. It also allows you to configure SSH access so you can close all the ports and only access the VPS that way.
I'll just repost what I posted before,
this hardened memory allocator is sort of schizo tier but I suggest it if you're just going to idle. People will already suggest the basics so may as well suggest something a little more esoteric.
>
First step should be whitelisting one or more IP's you'll access it from.
Why?
Just don't use fail2ban for SSHd..
If that is the reason somebody gains access to my systems, they can have them, they deserve them..