New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
don't make me wrong, dude. I don't have shady activity but still need privacy, it's time to give out this video again, why good people still need privacy.
also, I did change port to a XXXXX port, and set
PermitRootLogintono. also the optionPasswordAuthenticationtono. it works great and I haven't see anylastbrecord for long time.>
appreciate the honesty, as long as there is a valid law progress involved, it is not your business anymore, it becomes national enforcement. So, that is definitely acceptable. Otherwise, it is more about the integrity about a provider, which is much more powerful to limit some actions than laws.
thanks a lot for letting me know this, I am now currently using a five-digit port as ssh, which is explained not good in your link. but it looks like most 1-1024 ports are reserved for some purpose, how to choose one from them?
Cheers!
Since we are talking about this, does moving ssh from 22 to something else (be it 1-1024 or +) really help? I mean excluding the ultra random script that tries ips in a range, for anyone else doing a closer look won't be really hard or time consuming to test one by one all the server ports till he hits ssh right?
And for the mass scripts the usual fail2ban will take care of it in the first 1-2 attempts.
(I don't include in that root as it has it's own level of importance, so invalid accounts & wrong attempts on valid accounts).
For me root without password and preferrably keys for all users with secure passwords / keyphrases & fail2ban or equivalent program seems like enough.
tldr: does moving ssh from 22 really matter security wise?
You are correct. These ports have been reserved by IANA for applications but there is nothing that keeps you from using them with other applications as long as you don't host the original application for that they've been reserved. In fact a lot more than these 1024 ports have been reserved by IANA for all kind of applications. There is no one going to stop you from using them for other purposes.
Privileged ports are a security feature. If you contact to a service hosted on a privileged port on a server you can mostly be certain it is the real thing. Only excluding examples would be too low security measures that allow a hacker to take over the server and use the real thing to cause chaos and harm.
But you're trying to prevent that here as far as I understand. So of course using privileged ports for security related things and criticial stuff is only one of many things.
You need to grab a trusted provider that has been around on the Internet for a good time, with a lot of reviews. That would be your best option because those real companies can get into real trouble for breaching their privacy TOS.
it matters, I used fail2ban, it shows a longer iptable list daily. one day, I think, we disable root login as a common sense because we believe malicious man know there is a root on every linux. why we don't change 22 to others because everyone 22 is default for ssh? then, I did that and fail2ban just got its retirement :P
Actually you are right. The hackers can simply scan port 0 to 65535 and find your SSH server or whatever they are looking for. So moving around does not help so much against real people that won't give up so easily.
However as some have mentioned it terminates dangers such as automated bruteforcing and wannabe hackers. And I think it's actually even a thing that kind of protects against XOR as it seems to be also automated.
Moving such a service outside the privileged port range can be harmful. You have to calculate the other factors in.
So "come out of your own little world and look at the bigger picture".
I'm pretty sure though that if your SSH server is patched, you've moved the port to get rid of automated attacks and use pure SSH public key authentication with strong keys with passphrase protection you are really secure from someone trying to take over your server via remote access. There is more though as always like keeping things up to date, installing patches and removing plugins with security holes or software which has tons of security issues (eww Wordpress plugins... or unpatched Magento CMS shops).
Even better, read my detailed explanation of why that author is a complete and unmitigated idiot:
http://www.lowendtalk.com/discussion/comment/576972/#Comment_576972
I called him out on Twitter on that and he said he'd respond "soon". Three years later, all he's done is put a disclaimer on his page saying it's "controversial".
It's not controversial. It's pathetically stupid on at least a half-dozen points.
Which explains why he doesn't allow comments on his blog...
A toddler could tell you that a high port is bad, and I would give him about as much respect as Joshua Thijssen. Probably more, actually...
well, thank you as well!
Really learned a lot. and I actually just finish reading and curious why he blocked the discussion. then I see your reply. I will read it now XD
btw, who is Joshua Thijssen? A google shows programmer out...
A guy with a major ego:knowledge ratio problem.
It is not in my mind to argue here. There is not one right answer. There are many right (and also sometimes wrong) answers. I doubt that using privileged ports for really important services is wrong or a bad idea. They have their purpose. And one is to have some kind of security in some aspects.
Let me put it so. No one is forcing you to use the standards made by the people and Internet engineers. You are your own master, aren't you? You are free to set 0 - 65535 as privileged ports on your system or do the contrary. You are free to modify things as you like and your knowledge allows. You are free, aren't you? You are you, right? Close that door and open another one.
How paradox it is in the end. You rely on so many things that have been made a standard by people of the IETF and IANA. Life is a paradoxon.
Wait you just told me lower ports are bad. So what shall we use? Low ports are bad. High ports are bad. Hehe. Paradox, isn't it?
Whatever. You are free so do what you want. Standards have been made for people who aren't as good as you in things like that and don't have the knowledge you have. But please don't try to force on your ways onto others. If you are free to do what you want let others do what they want. We've already enough problems.
If all standards fall for less knowledgeable users we would have pure chaos. Someone made them in mind to help and protect people and services. They're not forced. Hence why I said do what you want. Atleast you should know what you do. I know what I do. Never had a single break in or any other security related issue.
Yeah, because clearly that's what I was doing.
Seriously, dude - I disagreed with an article on the Internet (which the vast majority of LET readers also disagree with, and the vast majority of IT pros disagree with) and now suddenly I'm some kind of Nazi?
WTF dude? I wasn't saying we need death squads roaming DCs executing anyone who runs ssh on port 22. I was just saying that Joshua Thijssen is freaking idiot for all the ridiculous ideas in his article.
Again, WTF are you talking about...we're talking about changing a port, not suddenly putting all RFCs on the pyre.
LOL what...yes, the great ancient wizards chose 22 because it's a magic numbers that protects us.
Since you are putting forth the idea that running ssh on port 22 is more secure than running port 22 on another port...can you explain? Because that's contrary to common wisdom in the community.
What standard port is chosen by the IETF is completely irrelevant here.
No, it isn't.
I said a toddler could tell me that high ports are bad and I'd give him as much credence as Joshua Thijssen.
Is this the first time you've run into someone who gives a detailed rebuttal to an idea you like? Because it's pretty common on the Internet and you shouldn't take it personally.
We could just use a few Brits running around calling them all cunts
We're all cunts, I'm told.
@Nekki
I hear @Fransisco is chilling with the Netflix CEOs now
Not that it matters, but do you really think @Francisco wants you spreading word on who he sleeps with?
lol, is that kind of shady activity?
Just going to leave this here, second time I've posted this link today: http://rand.pw/howsecure/
I can get paid to do that? Fuck me sign me up
I've a small checklist that I'm running through on every server I have. It's a lot of work at the start but after that only a bit of the list is left to do be done every day to ensure security.
The list below really has no specific order! Some of the points are to be done once during the first time setup and others have to be repeated daily/weekly/monthly/if necessary.
I'm not very experienced. Should I have made any mistake please tell me and I will try to correct it and update the information. Sorry. Oh and if you find any spelling or grammar keep them to yourself :P.
yep he totally vouched
well explained, but, which do you use then? :P
just realized fail2ban can be used for wordpress, will have a try. I used it for ssh before I changed port long ago and for nginx auth
"Basically, any reputable provider will not go snooping through client's files just because they are bored."
I think there's less chance that a reputable provider here is going to snoop, because there's only a few people involved, they're generally overworked, and they have too much invested in the business to throw it away on someone's porn pile.
OTOH, the junior third shift sysadmin from 1-800-offshore who's got the keys to the Amazon kingdom...
I figured out the best method of protecting my servers...
It's as simple as getting your credit card, heading over to cyberbunker.com and put that smile on your face beacuse you just gave away your credit card info to a bunch of lunatics that hang out with GvH eMpLoYeEsSend them to CyberBunker
>
Good one. Care to elaborate on what's "strange looking" or "invalid" and an example fw rule or two?
@aglodek
I generally use these on my machines (adjusted depending on what I host):
Policies
Allow established connection (replies to outgoing traffic)
Allow use of loopback device
Open all other necessary ports (adjust for what is hosted)
Drop invalid packets
Also had some sysctl tweaks however I just can't find them nor the source where I had them from. I use Debian and it's well documented. A lot of things you can find for other distributions apply for it, too.
Don't forget to apply the same rules for ip6tables if you have IPv6!
Sources
Imho there is a lot more that can be done but no time to find all the sources I had.