SSH server without port forwarding

SSH runs over TCP, so you have to make some firewall gymnastics to make this happen.
You should be using SSH keys for login to prevent effective bruteforce attacks.
You could use fail2ban to filter out the spam at least slightly.

But unless SSH moves to UDP (which it won't), then it won't be truly stealthy in elegant way.

OpenVPN is a humiliation of human software engineering

ssh with cryptographic key of byte size 8192MB.
Next change ssh parot to someting between 3600-4900. Bonus points if you can find a way to dynamically change the port number in that range so that only you can and others you want to can access it.

Even better, just create a spoof-ssh with a virus attached to it so that when they access it their computer gets fucked.

a properly configured firewall helps

>Is there a way to run an SSH server without making it publically accessible?
Don't host a ssh server unless you know what you're doing,..... jesus christ man learn some networking

Keyed Ssh over hidden service. The only person who will know about it is the person who set it up

WireGuard

why do people put ssh behind shit like openvpn? openvpn is bloat and that makes it much easier to exploit than ssh

Yep, although I've heard numerous reports of random firewalls just filtering out UDP entirely. (And VPNs over TCP are problematic.)

Is there a way to set up SSH-like service with use of VPN?

>I've stopped the attack by disabling port forwarding and stopping the SSH service.
Why? If you ssh keys they can attack you for a thousand years and not make any real progress. Turn off password authentication altogether.

>disabling port forwarding for the ssh port on the router will do exactly what you want
Yup, it looks like you are correct. For some retarded reason, I thought that would prevent machines inside the network from SSHing into it. Thanks user.

>if you have to ask, you dont deserve the answer
>Don't host a ssh server unless you know what you're doing,..... jesus christ man learn some networking
Yeah, I'm admittedly a bit of a moron sometimes. Fortunately, this server solely exists for educational purposes.

you can ssh over vpn

a vpn wont make it more secure

>I don't have reliable access to an IP address, and I need password authentication

Can't you just use a host name instead?

Why do brainlets think SSH keys are fucking magic? A strong password is impossible to crack, especially if you're trying to do it over the network.

Yes, I know. I just suggested to use wireguard instead of openvpn. That's it.

Try running a hidden service on port 22 then ssh through tor

>implying everyone uses strong passwords

>Change port to something other than 22
>disable non-key logins
>use fail2ban

I am not trying to be mean but asking like a fucking retard for basic ssh configuration on UBUNTU isnt something i would be proud of

its just annoying log spam if your system is not misconfigured. one way to avoid them would be using ipv6 if you have it. havent seen even one of those bots there

>A strong password is impossible to crack, especially if you're trying to do it over the network.
Yeah, but nobody wants that shit on their network. I've once seen 7 bots spamming my server relentlessly causing things to slow down. I just use fail2ban and limit it to 2 attempts before getting the boot.

I'm literally not implying that you stupid fucking faggot. Get some reading comprehension.

fail2ban has nothing to do with keys.

I know. To be clear, I was implying passwords alone, bring another level of annoyance.

I just looked at my firewall logs and I had 200 blocked attempts in 2 minutes, not one towards the SSH server at all.

Seem like there are bigger issues out there.

They aren't "issues". There have always been bots scanning the internet and trying shit. Basic security practices keep them out, and they don't hurt anything by poking at your machines.

Seems like you should start using fail2ban

Don't need to, WAN blocks all inbound traffic.

vpn is an option, i use different port for ssh so random attacks can't find it, if somebody really wants to enter your machine he can scan all ports of course, but that's rarely the case.

You're getting connection attempts on a site from a site/server only accessible behind your LAN?

just disable password logins and setup an ssh key.

That sounds confusing. I meant to say you're machine is logging connection attempts from bots or whatever that are not in your LAN, but is protected by a firewall and/or isn't accessible via WAN?

ITT 90% retards
You set up pubkey authentication
You disable password authentication
You install fail2ban
You set it to max 1 attempt and 365 days ban time
You log in from a machine that doesn't have a key installed once and you're locked out from ssh
>pgp
kek
useless
They are usually much harder to crack than a password

Not impossible to crack if there is no login attempt limit in place. What is so hard about using a key?

>Not impossible to crack if there is no login attempt limit in place
PAM limits the attempt rate by default more than enough to prevent a secure password from getting bruteforced

>A strong password is impossible to crack
A strong password is hard to remember, takes a long time to type, or both. A SSH key is nearly instantaneous which is a big advantage when you're not a kid LARPing as a hacker but someone responsible for dozens of machines.

Attached: pcbhospitalanime.jpg (1200x1200, 1.77M)

Application-specific vulnerabilities or inadequate pre-authentication protection (note how bruteforce protection for passwords requires a 3rd-party firewall script?). As well, VPNs can create a reverse tunnel where you can route SSH traffic behind NAT/CGNAT without needing to port forward (VPN from CGNAT server connects to me who doesn't have CGNAT, I connect to SSH through that VPN's tunnel)

Domains incur a financial cost which is not accessible to all users, and whitelisting domains make dns hijacking / poisoning a concern

that would only help if the vpn is perfect software and has no bugs. not something that openvpn is even though many use it.

OP don't bother listening to anyone in this thread. There is only one answer, and that is to turn off password authentication and only use SSH keys. What you are seeing is the "noise" of the internet, it's pointless to try block it as it's not harmless so long as you disable password authentication and keep ssh updated. Trying to block countries, change ports etc is just security by obscurity. Accept that people will probe your server and be prepared for it, it's just part of the internet.

You can get free domain names.

>what are pasword managers

I think that's too simplistic of a view. Hostile networks exist which will drop ssh traffic if it can see it, and wrapping protects against that. ssh plugs into PAM which increases the potential attack surface of the system (app vulnerabilities / authentication DoS which needs managed by f2b), etc. etc. Not saying that ovpn is a bugfree miracle product, but there's a reason a well designed corporate network forces you to vpn in (pref with ipsec..) before you're even allowed to try to touch services

Yeah, I forgot. I haven't used a free domain in ages. Other issues still apply though

>ssh plugs into PAM which increases the potential attack surface of the system
One sentence: OpenVPN uses OpenSSL.
BTFOed.

If you have a single server and you use OpenVPN to connect to it to SSH, then just literally kill yourself. I completely understand for a corporate setup with tons of services and users, but for 1 personal vps with 1 user, just fucking use ssh and be done. You are massively complicating things installing OpenVPN. OpenVPN is a real bloated piece of shit software, you know that an hobbyist sysadmin is going to misconfigure the shit out of that. In fact even if you want a personal vpn why not use WireGuard? plenty good enough for a single user

>fail2ban
Use sshguard instead, it can ban IPv6 addresses. Fail2ban can only recognize IPv4.

This is the only useful answer in thread.

How about don't use any. You only increase the chance of locking yourself out of your server. If your server is secure, then it can't be bruteforced. If it isn't secure, no fucking way would I count on the hackers not having enough IP's to bruteforce their way in.

>You set it to max 1 attempt and 365 days ban time

Check out my site:

Oh whats that? fail2ban only looks at connections and has no idea that wasn't a real login attempt and now your locked out of your server for a year? well get fucked.

I know my server is secure without SSHGuard. But the high number of brute force attempts fills the sshd connection pool and then my legitimate connections fail. I increased the pool size to 10k but that filled up too. With SSHGuard the connection count stays low, in the hundreds.

fail2ban does look at login attempts you fuckface. How would it determine that a login was successful?
>not having a specifc "management network" whitelisted to work around that
>not having friends that could unban you

It works by looking at the connections to the port and grepping the logfiles to see if it was successful. Simply connecting to the port X number of times and sending any arbitrary data (such as http requests caused by iframes) is enough to get you blacklisted.

No it's not you retard. sshd logs failed attempts and fail2ban picks those up.

vpn

My bad. Actually sshd still logs these connections as and fail2ban treats them as failed logins and bans, it appears like this in the logs:

>Feb 03 00:25:24 server2 sshd[6144]: Bad protocol version identification 'GET / HTTP/1.1' from x.x.x.x port 60622

Your bad again. Yes, sshd logs these. However, in default mode fail2ban only counts entries that contain a pattern like "authentication failure". You'd have to turn it up to aggressive mode to count bogus data or preauth disconnects as well.

just use fail2ban you fucking pleb

op, this is what you need to do.
1. Install tor. Add this to your /etc/tor/torrc

HiddenServiceDir /var/lib/tor/ssh_hidden_service/
HiddenServicePort 22 127.0.0.1:22

2. Add this to your ~/.ssh/config

host server-01-hidden
hostname lookinthatfolderfromabovefortheonionaddress.onion
proxyCommand ncat --proxy 127.0.0.1:9050 --proxy-type socks5 %h %p

and now you can ssh your shit from wherever without everyone else trying to

Port knocking is the correct answer. Very cool stuff.

Block everything outside of your country.

to be clear: install tor on both machines, change the torrc on the server machine, change the ssh config on the client machine

Password managers are where you store passwords for services that don't support public key authentication.

send yourself an email with your remote ip.
have a script parse it (verify origin) and generate a fw rule that allows new connections from that ip.
done.
it can also be done with a speedtest link. ;)

I'm just impressed with the amount of information thrown out here.

Sometimes you guys aren't cunts.

>pgp
What's wrong with PGP? It's sufficient for most use cases no? Seriously asking.

this is the most Enterprise Business Solution I've ever seen.

Pubkey auth. OTOH what's even the issue, if you got a reasonable password all the bots are doomed never to get in anyhow.

They'll just try their [default] password lists and leave.

Interesting idea, but probably mainly has the risk of you not getting in or you having an annoying connection for tor reasons.

allow only only your ip or use fail2ban and change the ssh port to like 1022 or something below 1024. they are just scanning ips for open ssh ports typically 22 and later bruting it. not hard to mitigate or you could just use ssh key login

What's on your box and why would random Chinaman be interested?

What the hell, the same chink tried to get in mine as well
Port 22 was opened for 1-2 days for remote connection and later removed it when I installed openvpn
I have password logins disabled and forced pubkey auth

Attached: Screenshot_JuiceSSH_20190203-033158.png (720x1280, 291K)

Maybe Chinese government?

People do this all the time with open servers that accept pw auth. They just scan across the internet and go through common passwords.
Disable password auths for your servers familias, we have better mechanism for authentication now.

i used to do the same with rdps. had a small shop setup on a website selling them. you cant use ssh keys to login its strictly user:pw so it was easy to brute. most had default pws like admin:admin root:toor etc

I'm doing a large very important server with lots of money at stake, and I'm a newb

Can I just use a strong password? I can't be bothered with SSH. There's literally no way anyone could brute force this password

Sure, you can do whatever you want

Key takes 2 minutes to set up

> ITT: retards that don't understand how there's a never ending sea of bots looking for easy to crack servers
stupid faggots. change port to something else, use a strong password or keys. you stupid faggots make it more complex than it needs to be.

>I'm doing a large very important server with lots of money at stake, and I'm a newb
Look forward to reading about you on http://dayssinceacryptocurrencyexchangehaslostmorethan100million.com/

Just wanted to know if there's some other way they could get in... Obviously phishing but I only use the password for a couple trustworthy sites. Anything else?
I set it up successfully with root but I couldn't do it for another user, unbelievable how complicated that is. Just not worth it for me, so I went back to pass

I've used tor hidden services for ssh for about 5 years now and I can't ever recall any real connection issues I couldn't bear. Ssh is pretty light.

>http://
fuck browsers for hiding the http, this madness needs to end

put ssh on an obscure port and use sshguard to automatically ip ban chinks and cia niggers. also, only use key-based auth and a low amount of max authentication attempts.

Disable password and use RSA key signing instead.

That is certainly better than I thought it'd be.

what did he mean by this

Firefox doesn't display the http:// at the start of URLs but will copy them.

Attached: days.png (1008x72, 25K)

if that was the case big companies like amazon wouldn't make it mandadtory to get into your hosted VM's

This, I hate when I think I'm using HTTP but I'm actually using hypo-emoji theft anarchy. Can't believe the browser would hide such vital information from me

Appeal to authority.

works on my machine

Attached: Untitled.png (293x72, 4K)

A profit-seeking authority with hundreds of talented programmers at its disposal, yes.

>However, I'd like a solution that still allows me to remote into the server from other machines on the local network.
You only need local SSH? Make sshd listen on your local network and restrict it to known local ports.

That's https://