New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
1 - Use key-based SSH authentication and disallow passwords in sshd_config. Also, set AllowUsers to only those accounts needed for login (e.g. root).
2 - Move SSH port to a high random port generated from random.org (best if less than 1024, for security). After that, use port scan detection in iptables to defeat nMap scans for your new SSH port. Use the iptables GeoIP module to allow/block by country.
3 - For the more paranoid, also put a honey pot on port 22 (such as Kippo), then block anyone that hits port 22 from reaching your real SSH port for X minutes, by using the iptables recent module.
4 - For the active ports found via
netstat -anptu, first uninstall or disable unneeded services and close those ports. After that, protect all ports by establish iptables rules to only allow connections from your whitelisted IPs. Or use port knocking to secure your ports (hidden until knocked), and drop traffic from known bad IPs using dynamic ipset blocklists.To learn more, refer to posts on my tech blog (see my signature).
Isn't it good practice to not allow root login by SSH at all?
Why is a low port number better for security than any other number?
A good idea. Just keep in mind that if you lose control over the whitelisted IP(s), you can no longer access your VPS unless your provider provides a VNC or KVM/IPMI interface.
@MrX In the case that you disallow root login, just put those usernames you require in AllowUsers, instead of root. The above was only an example.
For the reason of choosing a SSH port less than 1024, see the last paragraph in this answer. It makes sense, however personally I don't care and just choose a high random port.
And people debate about the effectiveness of changing the default ports for services.
I don't see it as a debate, personally. It does absolutely nothing to increase security, the usefulness is in the context of reducing log clutter.
Use cycling keys and firewall rules (if appropriate).
Dump the atrocity that is firewalld and install the normal iptables utilities.
Uhm, not quite. In fact, root has its own SSHd_config parameter (PermitRootLogin). So root is not just any user.
And, yes, again, MrX is perfectly right. It's a VERY BAD idea to allow root SSH access.
As for the port range (above or below 1024) the experts disagree. Each has its own set of advantages and problems. Gladly enough, however, this is a comparatively minor concern.
Thanks so much! Finally I found out who took away my tentacle hentai collection.
Oh and, not to be picky, but it's very sexy and only moderately dressed tentacles, please.
first thing i always do is create a new user, add it to sudo and then disable root login overall. or get fail2ban installed, works pretty awesome
I myself feel pretty safe leaving SSH on 22. (key login only).
The only draw back leaving SSH on 22 is the log size.
Can I conclude with that it's not recommended to have port 22 open, but using a non standard port is the best (and not 2222 or something like that).
The next thing is to just open that port in Firewall, and maybe close port 22?
Fail2ban can't hurt, with or without changing port.
Just use AllowUsers xxxx@your-ip (remember to have access to more then one IP)
I use Allowusers root@my-ip. I always use root. With a non standard port, firewall rule, and IP restriction on the root user, can I say that I'm pretty sure. Of course I can be more secure using a SSH key with password. But I do not use that, just everything else I have mention. I also use a pretty strong password, 20 letters, (small, Capital), numbers, and special symbols like +*-= etc. And I have a different password on all servers.
Can't be big % change that SSH is the way a hacker get access to my server?
My WordPress sites and/or my Virtualmin CP is the weakest link on my servers?
Or do I take completely wrong in this matter?
@myhken
Yes.
Yes
YesNo. Yes, you can limit the IPs in SSH. No you shouldn't; you should use the firewall for IP filtering. And: Don't forget to set PermitRootLogin to No.
No. If you're any worth your salt as an admin get used to login as std. user and to sudo when root is needed.
Well, this was about SSH, arguably an important issue.
But crackers aren't picky. Think of your server like of a large house with many rooms and windows and some doors. Yes, you certainly want a solid door lock (and a solid door) but an intruder will use whatever happens to be "available".
Let me use this opportunity to clear a common misunderstanding, namely that SSH is the classical way evil guys get into your system. Nope. It's luring and attractive, of course, in part because everything is easy once one has succeeded in entering the system.
And it look impressive because everyone has a gazillion attempts against SSH every day.
But looking at real world scenarios (i.e. actually hacked systems) the three main culprits probably are lousy passwords, PHP (and to a degree apache and mysql, mainly due to stupid configs), and not up to date linux (let alone Windows).
For your average small gardening hobby club one might not care much. But running, say an online shop, with LAMP on a not up-to-date linux is (IMO) pretty suicidal and akin to sending out invitations to evil guys.
On a side note: Professionals don't run port scans for the result per se but rather to get a (surprisingly reliable) hint which servers are run by idiots (read: are attractive targets). Which, to close the circle, is another reason not to use port 22 for SSH; it's usually an indication that the admin of that box is no complete idiot and at least cares enough about security to do some simple steps. With millions and millions of systems out there (and millions being run by complete morons) crackers can afford to look for easy prey.
I guess changing a port to something higher than 1024 is a good practice. As far as I know nmap by default (fast scan) scans known ports and additionally ports from 1 to 1024. Most people scan with those nmap settings, so you won't get discovered that easy if your SSH port is higher than 1024.
I don't believe in this whole "security through obscurity" idea. Sure, it makes it one step harder for an attacker to get to you, but far from the safest security measure you can put in place. I personally feel that changing SSH ports may cause more issues than it's worth. There's a reason port 22 is the default, switching it may increase the risk of functionality to break.
You will not have any trouble even by just leaving ssh running on port 22 with PermitRootLogin with password authentification as long as the password is strong enough. You can eventually limit failed attempts to prevent brute forcing.
I have many machines running like this for years.
Takes longer to discover the port, but at the same time is more vulnerable I hear since with ports below 1024 you'd at least know services are started by root.
I always change my server ssh port.. it's safer and reduce the cpu high load due to hack attempt.
I run stuff that requires other folks to connect, like stuff for work, on port 22.
Because no matter the amount of documentation, someone isn't going to read it and try to connect too many times and get themselves locked out.. Root login is allowed without-password only (key-based auth), and then everyone else gets unique usernames & strong passwords.
Then I run fail2ban with a permanent ban after a few failed attempts.
On my own stuff, I run ssh on a different port, lock everything down except for SSH + other required ports.
https://www.adayinthelifeof.nl/2012/03/12/why-putting-ssh-on-another-port-than-22-is-bad-idea/
Worth mentioning, a few iptables rules to help deter brute force -
Just another tool for the toolbox.
I would also add switch root to key-only authentication in case you absolutely need it (although I don't see any scenario when you would need).
In my case:
Also, I have ipset-based service in place, which detects attempts to access at unadvertised ports (including SSH default port) and add their source IPs to blacklist. That blacklist is aggregated, I collect it from several "honeypot VPSes" to keep my servers cleaner.
OpenVZ still doesn't support ipset module, other hypervisors do, and I recommend studying ipset's power closely. Simple and convenient tool.
Pardon me, but that guy is largely a classical case of "everybody knows" blabla and half truths.
Example: Once a process has done what only root can do, it falls back to a normal user.
That's double nonsense. For one, that's theory; In the real world there are enough apps who just luckily stay root. Second, it's not the full truth because dropping root is not a one-way road; one can elevate back to root with a simple system call. To make it funnier, the "standards" are implemented wildly differently.
And then, of course, the omni-present blabla wisdom about obscurity. How about "getting rid of the 95% script kiddies leaves the system more time and resources to take care of real and more serious attacks"? or how about "Killing script kiddies attacks at the (very low) firewall level is way cheaper and way more efficient that doing it at a higher level"?
Let me offer you a way more reasonable - and sound! - "holy rule" than the "obscurity is no security" shit:
Kill them early and kill them cheap!
Using iptables, port knocking is pretty easy to set up on the server side. How about client side running Putty? Any pointers on how to automagically port knock and connect with Putty?