To mitigate the effort to maintain my personal server, I am considering to only expose ssh port to the outside and use its socks proxy to reach other services. is Portknocking enough to reduce surface of attack to the minimum?

@xinaked@lemmy.world
link
fedilink
English
101Y

just use tailscale

@lilShalom@lemmy.basedcount.com
link
fedilink
English
1
edit-2
1Y

I use a vps running openvps. Then i only allow ssh access from my vpn ip address.

Faceman🇦🇺
link
fedilink
English
31Y

I used to SSH into my server and proxy out from there. Then I learned how shit of a solution that is for daily use and set up a vpn like a normal person.

@Decronym@lemmy.decronym.xyz
bot account
link
fedilink
English
5
edit-2
1Y

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:

Fewer Letters More Letters
SSH Secure Shell for remote terminal access
SSL Secure Sockets Layer, for transparent encryption
UDP User Datagram Protocol, for real-time communications
VPN Virtual Private Network
VPS Virtual Private Server (opposed to shared hosting)

5 acronyms in this thread; the most compressed thread commented on today has 7 acronyms.

[Thread #128 for this sub, first seen 10th Sep 2023, 16:25] [FAQ] [Full list] [Contact] [Source code]

In your SSH config, you should disallow root login and password authentication.

It is more secure than these tommyknockers :-) but you can do that additionally, if you feel like it.

dalz
link
fedilink
-71Y

Why disallow root login? I always need root when I connect, and stealing the password by aliasing sudo/doas is trivial. It seems to me it would just make life harder for no benefit.

they need to guess a username i assume

this_is_router
link
fedilink
English
311Y

Because then:

  • you also need to know the correct username
  • audits and logging shows which user used sudo to gain root access
@ShortN0te@lemmy.ml
link
fedilink
English
-211Y
  • you also need to know the correct username

Use a secure password or key. Security by obscurity is no security.

  • audits and logging shows which user used sudo to gain root access

That is not the point that was made. Once access to sudo or root you already have lost.

Security though obscurity, BY ITSELF, is not security. But it’s great at slowing attackers and thwarting automated scripts.

It’s bad security to ignore possible mitigations to a problem just because it isn’t as full fix.

@randombullet@feddit.de
link
fedilink
English
71Y

Defense in depth.

Anyone who’s certified NET+ or higher knows this.

@ShortN0te@lemmy.ml
link
fedilink
English
-11Y

That video here: https://youtu.be/fKuqYQdqRIs?feature=shared

Does a great job actually explaining a lot of my points. And it is produced by an actual security auditor and researcher. Just because everyone is doing it does not make it a security benefit that matters.

@PipedLinkBot@feddit.rocks
bot account
link
fedilink
English
31Y

Here is an alternative Piped link(s):

https://piped.video/fKuqYQdqRIs?feature=shared

Piped is a privacy-respecting open-source alternative frontend to YouTube.

I’m open-source, check me out at GitHub.

@False@lemmy.world
link
fedilink
English
20
edit-2
1Y

You’re making it that much easier for someone to brute force logging in or to exploit a known vulnerability. If you have a separate root password (which you should) an attacker needs to get through two passwords to do anything privileged.

This has been considered an accepted best practice for 20+ years and there’s little reason not to do it anyways. You shouldn’t be running things as root directly regardless.

@ShortN0te@lemmy.ml
link
fedilink
English
-41Y

When you have secure passwords kr key auth. Brute force is not a problem. What vulnerability are you talking about? Complete auth bypass? Then the username would be no problem either since you can just brute force usernames.

@False@lemmy.world
link
fedilink
English
11Y

Heartbleed was a thing that happened.

Why disallow root login?

It is very easy to throw a dictionary at your port 22. It happens every few minutes. And they all try it with the username=root unless they know something better.

tinsukE
link
fedilink
English
11Y

Sounds like security through obscurity to me.

Highly susceptible to replay and man in the middle attacks.

If you’re gonna combine that with another authentication method (and you should), then I see little advantage over just going with the other auth method.

486
link
fedilink
11Y

Highly susceptible to replay and man in the middle attacks.

fwknop isn’t susceptible to either.

@aksdb@feddit.de
link
fedilink
English
31Y

Sure? It certainly detracts bots that now don’t discover the SSH port anymore. Against a targeted attack it’s less useful, but that is a very hard problem in any case. If someone is out to get you specifically, it will be a tough battle.

@ShortN0te@lemmy.ml
link
fedilink
English
01Y

Bots do not matter. They try just common know exploits. If your root password is not root you are fine.

@SheeEttin@lemmy.world
link
fedilink
English
01Y

Root login should be disabled, and ideally remote user auth should be key only, not password. And you should have a passphrase on your key.

@ShortN0te@lemmy.ml
link
fedilink
English
-11Y

Should be

Why? Dont recite a blogpost to me explain it. Following blindly security practices you do not understqnd can be very dangerous.

Disableing the root login gains nothing in regarding security. If you have a secure key or a passwordthey attacker will not get in no matter what. And once a account is compromised it ia trivial to extract the sudo passwors with simple aliases.

Passwords can be as secure as keys. Yes be default a weak key is still more secure then a weak passwors. But if you have a strong password policy in place it does not matter. Most valid argument for keys is the ease of you

Having a passphrase on the key is for example for my usecase irrelevant. I run full disk encryption on every device. A passphrase on those keys would not gain me much security only more inconvenience.

486
link
fedilink
3
edit-2
1Y

Disableing the root login gains nothing in regarding security.

This is usually not the reason people recommend disabling root login. Since root is an anonymous account not tied to an actual person, in a corporate setting, you do not really know who used that account if you allow root login. If this is relevant for a personal home network is for you to decide. I would say there is not such a strong argument for it to be made in that setting.

@ShortN0te@lemmy.ml
link
fedilink
English
01Y

I absolutely agree with your. It can makes sence the disable it for access control, loging, auditing, etc. .

But when you look online or just in the comment section here lots of ppl actually recommend it as a security meassure against attackers. “Need to brute force the username as well”

@zaphod@lemmy.ca
link
fedilink
English
11Y

If you’re worried about bots just use a non-standard port and move on. I did that on my own VPS just to cut down on log chatter and I get absolutely zero ssh attack attempts after the change.

@SheeEttin@lemmy.world
link
fedilink
English
81Y

I would only expose a VPN and use that to access the other services.

lemmyvore
link
fedilink
English
81Y

Why? There’s no downside to ssh, if anything it’s easier to set up.

@SheeEttin@lemmy.world
link
fedilink
English
11Y

If you only want to provide ssh access to one host, sure. If you want to provide other services, on multiple hosts, then you’re either making it a jump box or a proxy, while a VPN would provide direct access (or at least as defined in the firewall and routing rules).

@Morgikan@lemm.ee
link
fedilink
English
3
edit-2
1Y

A VPN would give you access to a network, but not necessarily the devices on that network. It adds another layer of security as the user not only has to have SSH credentials/keys, but they also have to have the same for the VPN. SSH and VPNs would really be used in conjunction with each other.

It’s onion security.

@Auli@lemmy.ca
link
fedilink
English
11Y

What kind of port knocking just going to ports in sequence? Or someone wrote one that looks for a key signed and is supposedly not replayable.

Other then the slowly increasing log file (if you use fail2ban for example), it will take thousands of years to actually hack you through this method as long as root auth is disabled and authentication is only via SSH keys, I wouldn’t worry about it.

It is possible to tighten the security of a machine to the point it is no longer usable. It is important to secure our devices but we cannot forget about convenience, so the trick is to tighten it but also make it so you don’t have to jump through a number of hoops till you get to your destination.

I for example, wouldn’t use your method because it would make it difficult to use some services I host from my phone.

Port knockers for the most part aren’t worrying. In an ideal situation, the only ports that should be open are 22, 80, 443 and using a reverse proxy to mask headers. (Poor configuration for example, go to Shodan and type bitwarden in the search bar and see how many people expose their instances to the world carelessly without an SSL cert) and the occasional UDP for game servers/media servers.

@vzq@lemmy.blahaj.zone
link
fedilink
English
61Y

removed by mod

Create a post

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don’t control.

Rules:

  1. Be civil: we’re here to support and learn from one another. Insults won’t be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it’s not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don’t duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

  • 1 user online
  • 126 users / day
  • 421 users / week
  • 1.16K users / month
  • 3.85K users / 6 months
  • 1 subscriber
  • 3.68K Posts
  • 74.2K Comments
  • Modlog