Ineffective security

Story: How to change the default SSH port on a Linux VPSTotal Replies: 6
Author Content
dotmatrix

Oct 12, 2016
3:38 PM EDT
Changing the port will not have any measurable increase in security.

However, porting knocking will increase security:

https://help.ubuntu.com/community/PortKnocking
penguinist

Oct 12, 2016
6:20 PM EDT
I agree that ssh port changing may not increase one's security, but I can say that the savings in log "wear and tear" is significant. While running ssh on port 22 my logs filled with exploit attempts, and after changing to a random port the logged exploit attempts have literally gone to zero. A port change will discourage "script kiddies" but as you point out, dotmatrix, a port change will not deter a serious exploiter.

The best ssh security is still a strong password and/or a big certificate. I went to 4096 bit certs a couple years ago and expect that I should be safe for a few centuries at least.
nmset

Oct 13, 2016
3:27 PM EDT
I consider of interest the use of the iptables' xt_geoip module to limit world wide access to the server. There are obviously attackers from allowed countries, but still, global access can be denied. It can also filter out regions or cities in a country, I've not tried this latter option. But a serious attacker can try his luck through a VPN, I agree.
gus3

Oct 13, 2016
5:38 PM EDT
As soon as I confirmed an exploit, the process would spawn a shell script to add the source address to the iptables DROP list. Yes, the list could get long, but it didn't get saved on reboot. Plus, I could manually clear out the list anytime.

Caution: if you test such a technique from the host, you could effectively block your own network traffic (i.e. 127.0.0.1 packets get DROPped, not a good idea). Before you ask, uh, yeah, I learned that one the hard way. :(
penguinist

Oct 13, 2016
6:55 PM EDT
Quoting:you could effectively block your own network traffic (i.e. 127.0.0.1 packets get DROPped


It might be embarrassing if you made a typo during your own remote login. I might be years before the next reboot. I suppose you could walk over to the neighbors and ask to use theirs in order to log in from a different IP address.
dotmatrix

Oct 13, 2016
7:21 PM EDT
@gus3:

https://help.ubuntu.com/community/Fail2ban
gus3

Oct 14, 2016
5:43 PM EDT
@dotmatrix, this was about 15 years ago. Fail2ban was still a couple years out from its first release.

Posting in this forum is limited to members of the group: [ForumMods, SITEADMINS, MEMBERS.]

Becoming a member of LXer is easy and free. Join Us!