I noticed that some Chinese jackass has been attempting to SSH into one of my machines. Is there a way to run an SSH server without making it publically accessible?
I've stopped the attack by disabling port forwarding and stopping the SSH service. However, I'd like a solution that still allows me to remote into the server from other machines on the local network.
Ssh with pgp key access so no one but you can access it
Jacob Gomez
put ssh on port 69
Jace Reyes
fail2ban
Brayden Flores
Use white list instead of a black list. In other words allow access to your node from only a list of your choosing. Most routers/firewalls allows this -- iptables. Even ssh has this functionality built in.
Brandon Sanders
OpenVPN
Nathan Gomez
if you have to ask, you dont deserve the answer
Jayden Taylor
>Is there a way to run an SSH server without making it publically accessible? Knockd.
Christopher Wood
Those are just bots, there's thousands probing every address constantly.
>I want to block all bruteforce attempts Force pubkey authentication >I want to prevent most standardized attacks Put SSH on a different port >10000 (nearly nobody is going to portscan unless a targeted attack is taking place) >I have reliable access to an IP address which won't change Drop all traffic to your ssh port except from your whitelist >I don't have reliable access to an IP address, and I need password authentication fail2ban >I'm paranoid, I don't want anyone to know I have a public-facing SSH service Port knocking >I don't want SSH public-facing Wrap your SSH traffic in a VPN or proxy (socks5, openvpn, etc.). Connect to your VPN, then forward a port internally
Juan Jackson
>I'd like a solution that still allows me to remote into the server from other machines on the local network. Depends on what your network looks like. If this is a machine on a local network behind a NAT router, then disabling port forwarding for the ssh port on the router will do exactly what you want. Nobody from outside your network will be able to hit your server's ssh port, but people inside the network will. If there's no NAT here and the server has both a public and private IP address, you can just have the sshd only listen on the local address, or add an iptables rules that drops packets coming in on the public address destined for the ssh port
Josiah Hill
SSH runs over TCP, so you have to make some firewall gymnastics to make this happen. You should be using SSH keys for login to prevent effective bruteforce attacks. You could use fail2ban to filter out the spam at least slightly.
But unless SSH moves to UDP (which it won't), then it won't be truly stealthy in elegant way.
Matthew Fisher
OpenVPN is a humiliation of human software engineering
Carson Fisher
ssh with cryptographic key of byte size 8192MB. Next change ssh parot to someting between 3600-4900. Bonus points if you can find a way to dynamically change the port number in that range so that only you can and others you want to can access it.
Even better, just create a spoof-ssh with a virus attached to it so that when they access it their computer gets fucked.
Adrian Wright
a properly configured firewall helps
Elijah Campbell
>Is there a way to run an SSH server without making it publically accessible? Don't host a ssh server unless you know what you're doing,..... jesus christ man learn some networking
Christopher Ward
Keyed Ssh over hidden service. The only person who will know about it is the person who set it up
Mason Hill
WireGuard
Gavin Fisher
why do people put ssh behind shit like openvpn? openvpn is bloat and that makes it much easier to exploit than ssh
Blake Gutierrez
Yep, although I've heard numerous reports of random firewalls just filtering out UDP entirely. (And VPNs over TCP are problematic.)
Is there a way to set up SSH-like service with use of VPN?
Nathan Ramirez
>I've stopped the attack by disabling port forwarding and stopping the SSH service. Why? If you ssh keys they can attack you for a thousand years and not make any real progress. Turn off password authentication altogether.
Caleb Nguyen
>disabling port forwarding for the ssh port on the router will do exactly what you want Yup, it looks like you are correct. For some retarded reason, I thought that would prevent machines inside the network from SSHing into it. Thanks user.
>if you have to ask, you dont deserve the answer >Don't host a ssh server unless you know what you're doing,..... jesus christ man learn some networking Yeah, I'm admittedly a bit of a moron sometimes. Fortunately, this server solely exists for educational purposes.
Charles Bennett
you can ssh over vpn
Logan King
a vpn wont make it more secure
Lincoln Moore
>I don't have reliable access to an IP address, and I need password authentication
Can't you just use a host name instead?
Wyatt Torres
Why do brainlets think SSH keys are fucking magic? A strong password is impossible to crack, especially if you're trying to do it over the network.
Joseph Nelson
Yes, I know. I just suggested to use wireguard instead of openvpn. That's it.
Hudson Cook
Try running a hidden service on port 22 then ssh through tor
Jeremiah Hughes
>implying everyone uses strong passwords
Michael Stewart
>Change port to something other than 22 >disable non-key logins >use fail2ban
I am not trying to be mean but asking like a fucking retard for basic ssh configuration on UBUNTU isnt something i would be proud of
Jordan Jenkins
its just annoying log spam if your system is not misconfigured. one way to avoid them would be using ipv6 if you have it. havent seen even one of those bots there
Ian Scott
>A strong password is impossible to crack, especially if you're trying to do it over the network. Yeah, but nobody wants that shit on their network. I've once seen 7 bots spamming my server relentlessly causing things to slow down. I just use fail2ban and limit it to 2 attempts before getting the boot.
Isaac Gonzalez
I'm literally not implying that you stupid fucking faggot. Get some reading comprehension.
fail2ban has nothing to do with keys.
Nicholas Jones
I know. To be clear, I was implying passwords alone, bring another level of annoyance.
Colton Parker
I just looked at my firewall logs and I had 200 blocked attempts in 2 minutes, not one towards the SSH server at all.
Seem like there are bigger issues out there.
Grayson Perez
They aren't "issues". There have always been bots scanning the internet and trying shit. Basic security practices keep them out, and they don't hurt anything by poking at your machines.
Brayden Cox
Seems like you should start using fail2ban
Jacob Wright
Don't need to, WAN blocks all inbound traffic.
Matthew Brooks
vpn is an option, i use different port for ssh so random attacks can't find it, if somebody really wants to enter your machine he can scan all ports of course, but that's rarely the case.
Julian White
You're getting connection attempts on a site from a site/server only accessible behind your LAN?
Grayson Bailey
just disable password logins and setup an ssh key.
Alexander Morgan
That sounds confusing. I meant to say you're machine is logging connection attempts from bots or whatever that are not in your LAN, but is protected by a firewall and/or isn't accessible via WAN?
Bentley James
ITT 90% retards You set up pubkey authentication You disable password authentication You install fail2ban You set it to max 1 attempt and 365 days ban time You log in from a machine that doesn't have a key installed once and you're locked out from ssh >pgp kek useless They are usually much harder to crack than a password
Alexander Wilson
Not impossible to crack if there is no login attempt limit in place. What is so hard about using a key?
Jordan Perez
>Not impossible to crack if there is no login attempt limit in place PAM limits the attempt rate by default more than enough to prevent a secure password from getting bruteforced
Jaxson Walker
>A strong password is impossible to crack A strong password is hard to remember, takes a long time to type, or both. A SSH key is nearly instantaneous which is a big advantage when you're not a kid LARPing as a hacker but someone responsible for dozens of machines.
Application-specific vulnerabilities or inadequate pre-authentication protection (note how bruteforce protection for passwords requires a 3rd-party firewall script?). As well, VPNs can create a reverse tunnel where you can route SSH traffic behind NAT/CGNAT without needing to port forward (VPN from CGNAT server connects to me who doesn't have CGNAT, I connect to SSH through that VPN's tunnel)
Domains incur a financial cost which is not accessible to all users, and whitelisting domains make dns hijacking / poisoning a concern
Tyler Perez
that would only help if the vpn is perfect software and has no bugs. not something that openvpn is even though many use it.
Asher Davis
OP don't bother listening to anyone in this thread. There is only one answer, and that is to turn off password authentication and only use SSH keys. What you are seeing is the "noise" of the internet, it's pointless to try block it as it's not harmless so long as you disable password authentication and keep ssh updated. Trying to block countries, change ports etc is just security by obscurity. Accept that people will probe your server and be prepared for it, it's just part of the internet.
Connor Cook
You can get free domain names.
David Wright
>what are pasword managers
Brayden Hughes
I think that's too simplistic of a view. Hostile networks exist which will drop ssh traffic if it can see it, and wrapping protects against that. ssh plugs into PAM which increases the potential attack surface of the system (app vulnerabilities / authentication DoS which needs managed by f2b), etc. etc. Not saying that ovpn is a bugfree miracle product, but there's a reason a well designed corporate network forces you to vpn in (pref with ipsec..) before you're even allowed to try to touch services
Yeah, I forgot. I haven't used a free domain in ages. Other issues still apply though
Dominic Roberts
>ssh plugs into PAM which increases the potential attack surface of the system One sentence: OpenVPN uses OpenSSL. BTFOed.
If you have a single server and you use OpenVPN to connect to it to SSH, then just literally kill yourself. I completely understand for a corporate setup with tons of services and users, but for 1 personal vps with 1 user, just fucking use ssh and be done. You are massively complicating things installing OpenVPN. OpenVPN is a real bloated piece of shit software, you know that an hobbyist sysadmin is going to misconfigure the shit out of that. In fact even if you want a personal vpn why not use WireGuard? plenty good enough for a single user
Brayden James
>fail2ban Use sshguard instead, it can ban IPv6 addresses. Fail2ban can only recognize IPv4.
Noah Clark
This is the only useful answer in thread.
Easton Miller
How about don't use any. You only increase the chance of locking yourself out of your server. If your server is secure, then it can't be bruteforced. If it isn't secure, no fucking way would I count on the hackers not having enough IP's to bruteforce their way in.
Jonathan Ward
>You set it to max 1 attempt and 365 days ban time
Check out my site:
Oh whats that? fail2ban only looks at connections and has no idea that wasn't a real login attempt and now your locked out of your server for a year? well get fucked.
Caleb Nelson
I know my server is secure without SSHGuard. But the high number of brute force attempts fills the sshd connection pool and then my legitimate connections fail. I increased the pool size to 10k but that filled up too. With SSHGuard the connection count stays low, in the hundreds.
Robert Taylor
fail2ban does look at login attempts you fuckface. How would it determine that a login was successful? >not having a specifc "management network" whitelisted to work around that >not having friends that could unban you
Hunter Baker
It works by looking at the connections to the port and grepping the logfiles to see if it was successful. Simply connecting to the port X number of times and sending any arbitrary data (such as http requests caused by iframes) is enough to get you blacklisted.
Jordan Lewis
No it's not you retard. sshd logs failed attempts and fail2ban picks those up.
Grayson Clark
vpn
Grayson Thompson
My bad. Actually sshd still logs these connections as and fail2ban treats them as failed logins and bans, it appears like this in the logs:
>Feb 03 00:25:24 server2 sshd[6144]: Bad protocol version identification 'GET / HTTP/1.1' from x.x.x.x port 60622
Dylan Roberts
Your bad again. Yes, sshd logs these. However, in default mode fail2ban only counts entries that contain a pattern like "authentication failure". You'd have to turn it up to aggressive mode to count bogus data or preauth disconnects as well.
Easton Young
just use fail2ban you fucking pleb
Carter Taylor
op, this is what you need to do. 1. Install tor. Add this to your /etc/tor/torrc
and now you can ssh your shit from wherever without everyone else trying to
Oliver Long
Port knocking is the correct answer. Very cool stuff.
Charles Gonzalez
Block everything outside of your country.
Gabriel Jones
to be clear: install tor on both machines, change the torrc on the server machine, change the ssh config on the client machine
William Phillips
Password managers are where you store passwords for services that don't support public key authentication.
Dominic Davis
send yourself an email with your remote ip. have a script parse it (verify origin) and generate a fw rule that allows new connections from that ip. done. it can also be done with a speedtest link. ;)
Camden Thompson
I'm just impressed with the amount of information thrown out here.
Sometimes you guys aren't cunts.
Charles Ramirez
>pgp What's wrong with PGP? It's sufficient for most use cases no? Seriously asking.
Brayden Richardson
this is the most Enterprise Business Solution I've ever seen.
Evan Jones
Pubkey auth. OTOH what's even the issue, if you got a reasonable password all the bots are doomed never to get in anyhow.
They'll just try their [default] password lists and leave.
Interesting idea, but probably mainly has the risk of you not getting in or you having an annoying connection for tor reasons.
James Cooper
allow only only your ip or use fail2ban and change the ssh port to like 1022 or something below 1024. they are just scanning ips for open ssh ports typically 22 and later bruting it. not hard to mitigate or you could just use ssh key login
Landon Fisher
What's on your box and why would random Chinaman be interested?
Grayson Sanchez
What the hell, the same chink tried to get in mine as well Port 22 was opened for 1-2 days for remote connection and later removed it when I installed openvpn I have password logins disabled and forced pubkey auth
People do this all the time with open servers that accept pw auth. They just scan across the internet and go through common passwords. Disable password auths for your servers familias, we have better mechanism for authentication now.
Isaac Flores
i used to do the same with rdps. had a small shop setup on a website selling them. you cant use ssh keys to login its strictly user:pw so it was easy to brute. most had default pws like admin:admin root:toor etc
Jack Reyes
I'm doing a large very important server with lots of money at stake, and I'm a newb
Can I just use a strong password? I can't be bothered with SSH. There's literally no way anyone could brute force this password
Christian Turner
Sure, you can do whatever you want
Isaac Garcia
Key takes 2 minutes to set up
Joshua Peterson
> ITT: retards that don't understand how there's a never ending sea of bots looking for easy to crack servers stupid faggots. change port to something else, use a strong password or keys. you stupid faggots make it more complex than it needs to be.
Just wanted to know if there's some other way they could get in... Obviously phishing but I only use the password for a couple trustworthy sites. Anything else? I set it up successfully with root but I couldn't do it for another user, unbelievable how complicated that is. Just not worth it for me, so I went back to pass
Easton Ward
I've used tor hidden services for ssh for about 5 years now and I can't ever recall any real connection issues I couldn't bear. Ssh is pretty light.
Cooper Wood
>http:// fuck browsers for hiding the http, this madness needs to end
Bentley Sanders
put ssh on an obscure port and use sshguard to automatically ip ban chinks and cia niggers. also, only use key-based auth and a low amount of max authentication attempts.
Adrian Robinson
Disable password and use RSA key signing instead.
Gabriel Perez
That is certainly better than I thought it'd be.
Jason Garcia
what did he mean by this
Gabriel Brown
Firefox doesn't display the http:// at the start of URLs but will copy them.
if that was the case big companies like amazon wouldn't make it mandadtory to get into your hosted VM's
Oliver Long
This, I hate when I think I'm using HTTP but I'm actually using hypo-emoji theft anarchy. Can't believe the browser would hide such vital information from me
A profit-seeking authority with hundreds of talented programmers at its disposal, yes.
Nathan Sullivan
>However, I'd like a solution that still allows me to remote into the server from other machines on the local network. You only need local SSH? Make sshd listen on your local network and restrict it to known local ports.