Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I am aware of password, keypair or certificate. What's best depends on your situation. Personally I'd go for keys protected with passphrases and managed with ssh-agent or keychain, as setting up a CA is too much pain for me.
This should be the same whether you use dynamic or static addresses. Or am I missing something?
Edit: Of course there is the little problem of client and server knowing each other by IP address, so my answer doesn't address your problem. It seems though that you are not the first person with this question; googling will help.
Last edited by berndbausch; 10-19-2015 at 06:41 PM.
Distribution: Mint 20.1 on workstation, Debian 11 on servers
Posts: 1,336
Rep:
Quote:
Originally Posted by Habitual
Buy a static one if you have such an option.
$5.00 USD in the USA. YCMV
Not all ISPs provide statics. Mine does not, and it's a pain because their DHCP lease time is 10 minutes. You just need to look at the router funny and you get a new IP.
What I would do is put SSH on a non default port, that will stop all the bots from flooding your log files, then install fail2ban. That blocks IPs that fail to login too many times. I set it to 3. You could also try to find out what your ISP's IP ranges are and then only allow for those ranges, it will at least minimize the amount of attack sources. TBH I don't bother though I just have it wide open to any IP but use fail2ban. By having it on a non default port I've never even had fail2ban hit. I have it setup to alert me if it happens.
Not all ISPs provide statics. Mine does not, and it's a pain because their DHCP lease time is 10 minutes. You just need to look at the router funny and you get a new IP.
What I would do is put SSH on a non default port, that will stop all the bots from flooding your log files, then install fail2ban. That blocks IPs that fail to login too many times. I set it to 3. You could also try to find out what your ISP's IP ranges are and then only allow for those ranges, it will at least minimize the amount of attack sources. TBH I don't bother though I just have it wide open to any IP but use fail2ban. By having it on a non default port I've never even had fail2ban hit. I have it setup to alert me if it happens.
Thank you. That was my thinking too, I thought about limiting to my ISP's IP range (better than nothing) and with fail2ban running but wanted to see if there were better ways of securing it.
Thank you. That was my thinking too, I thought about limiting to my ISP's IP range (better than nothing) and with fail2ban running but wanted to see if there were better ways of securing it.
Do you get many log in attempts?
Thanks
I agree with Red Squirrel, run it on something other than 22. I do that with my home server, and I don't think I've ever had a single unauthorized login attempt.
However, this should NOT be the only step you take in securing SSH. Many people (including myself) would call this "security by obscurity"- which should never be considered a real security feature. https://en.wikipedia.org/wiki/Security_by_obscurity I view it as simply a method of keeping my logs clean.
Look into using SSH keys and disabling root login.
Distribution: Mint 20.1 on workstation, Debian 11 on servers
Posts: 1,336
Rep:
I don't get any attempts with it on a different port at least none that try more than 3 times. I test it occasionally to make sure my alerting works (just did it now actually since I thought of it. :P )
But yeah don't rely on a different port only as it wont stop a targeted attack, it will just stop you from getting a million alerts all the time.
One time I put a SSH server online on the default port and I had not gotten around to installing fail2ban yet, and it was hacked within 10 minutes. Brute force is not a matter of if but a matter of when. By the time I noticed why my internet was so slow I found that the machine got hacked, and the bot had already hacked 3 other online machines from mine. They basically spread like a worm. The bot was nice enough to leave a log behind. :P It was kinda neat to see it happen actually, it was a test VM so nothing was really compromised. Though it technically could have been used to hack my internal network, so definitely be careful if you decide to try anything like this and do it on a separate vlan. I did not know any better at that time.
Last edited by Red Squirrel; 10-22-2015 at 08:20 PM.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.