The risk is actually quite high. Opening ssh with an easy username and password will be compromissed soon enough, just check your log files if you have ssh open to see bots trying to log in. I have been out to fix "slow" linux boxes that have been owned like this.obarthelemy wrote:First, the risk is lowish to start with, because there are very few Linux on ARM computers out there, and many vulernabilites are platform-specific. There are certainly Linux/ARM vulns, but hackers probably aren't bothering to try and exploit those.
This said, I would:
- not use a standard port
- use a key instead of a password
- put ssh on a schedule if you know when you'll want it beforehand
- fake the login message to mislead the snoopers
That's a good idea, and it's kept my fail2ban logs down quite a bit since making the change.shawnanastasio wrote:This is really starting to scare me. I am defiantly changing the port...
Is they an easy way to set up key only authentication so that I can still use SFTP and SSH?jojopi wrote:I think that fail2ban, denyhosts, and numerous other workalikes are ill-conceived and do not increase security. They are easy to write, so everyone writes one and then wallows in a false sense of power.
They do not protect you against password brute-forcing; they only protect you against password brute-forcing by an adversary with limited IP resources (that is, with no botnet). They do not protect you at all against very weak or accidentally leaked passwords. Nor against any weaknesses in your SSH configuration. And they are potentially a denial-of-service vector as well.
They are (belatedly) effective against very ineffective attacks, but just moving SSH to a non-standard port seems to work better still.
I think most people would be better to restrict SSH access to specific netblocks, enforce good passwords, set up keys and disable password authentication, move SSH to another port, implement additional restrictions such as port-knocking or multi-factor authentication if they are really paranoid, (in roughly that order) and only then consider banning weak attackers if they are still present.
Code: Select all
Code: Select all