Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Most people depend on ssh to provide a necessary "back door" into the various systems that they are responsible for. However, often within a matter of minutes, they find that their server logs are pounded with "unauthorized access attempt" messages that are coming from literally everywhere on earth. Somehow, they discovered that your IP-address existed, and that you were running sshd on it. They promptly began firing torpedoes. And, they will never stop.
There is, however, "a better way," and that "better way" is OpenVPN, using digitalcertificates and tls-auth. You pre-supply each authorized accessor ... such as yourself ... with a pair of digital credentials that can never be "hacked." You place this as an outer perimeter through which everyone must pass to reach anything "jucier." Then, you make it ... invisible!
(Necessarily, the remainder of this post is an introduction ... to ideas expounded upon by a legion of Internet posts.)
OpenVPN acts as "a secure TCP/IP router, implemented in software." It acts as a gateway to your "internal" network, including your sshd server. All of these services expose themselves only to the internal network – none to the outside world. Therefore, to reach any of it, you must "pass through the gateway door." However, it now becomes ... a secret(!!) door. If you are authorized to enter it, you pass right through. If not, you cannot discover(!!) that it even exists.
Unlike sshd, OpenVPN uses the "udp" layer of networking to communicate – so, there are no ("tcp/ip" ...) sockets to detect. "Port scans" fail because: there are no ports. Your opponent is forced to "shoot datagrams into the dark," and it literally cannot discover that your OpenVPN server is even present, unless that server responds. And, this is where tls-auth comes in.
tls-auth installs a "outside the portcullis, and beyond the drawbridge" layer of defenses. Unless the supplicant can demonstrate that it possesses the (separate ...) "tls-auth digital certificate," the server won't even answer. Which means that an intruder can never discover that "the secret door" exists, let alone attempt to enter it.
In this way, the "number of unauthorized access attempts" instantly drops to zero. They don't bother your sshd server simply because they can never get that far. Because the server exposes itself only to the internal network, not the public internet.
digital certificates, available only to those who managed to pass the drawbridge and the porticullis, are the next equally-impenetrable line of defense. "Either you possess a [unique ...] cryptographic key, which has not been individually revoked, or you do not."
Only if you successfully "establish the tunnel" in this way do you ever first get the chance to use the ssh command ... nor, anything else. (Likewise, perhaps, to "connect to some internal website.")
So ... here is a strategy that is simultaneously impenetrable and(!) convenient.Authorized users, possessing both keys, pass swiftly through the drawbridge and the portcullis without realizing that it is even there. Meanwhile, the legions of automated attackers pass it by – also never realizing that it is there.
... and your "security log" is deserted.
Last edited by sundialsvcs; 04-27-2021 at 06:24 PM.
You have been advertising this a few times already in the past decade.
We still remember.
Something about dwarves and the Lord of the Rings.
And since this isn't an actual tutorial or anything... what's the point (no don't answer that, it's a rhethorical question).
Personally, I wish people wouldn't
a) make a big show out of leaving a forum
b) come back anyhow, just to repeat their old spiel
...
Be that it may, this is still the most common situation that I encounter. If you get a "bots" hammering away at you, you can have hundreds of attempts per second, 24/7 and that siphons away a lot of resources. Not to mention megabytes of space in the security log file. Then, it ... "stops."
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.