Securing ssh Connections and Blocking Failures
Updated 10/2019
Use ed25519 keys, if you can:
ssh-keygen -t ed25519
ssh-copy-id -i ~/.ssh/id_ed25519.pub userid@remote
Updated 10/2015
If you have an ssh server running on your network that is accessible to the outside world, on the internet, chances are your systems are being attacked. If you aren’t aware of this, just take a look at your ssh logs in /var/log/auth.
$ egrep -i Failed /var/log/auth.log*
We can do better from a security standpoint. Regardless, ssh definitely still rocks and should be used daily, constantly. Before I moved ssh to a higher, non-standard, port and install Fail2Ban, I was seeing over 1,000 ssh attempts daily in the log files. What’s the saying … ignorance is bliss? Not when it comes to systems security.
This article is for Linux/UNIX users, but the ideas should apply to any OS running an ssh daemon.
Ssh Setup For Higher Security
The order below based on how easy it is to accomplish or setup. None of these configuration changes are hard. All of them can be accomplished in under 5 minutes if you know what you’re doing or 15 minutes if you need to read up a little.
- Listen on a non-standard port
- Use ssh-key-based connections
- No remote root logins with a password – without-password
- Allow only key-based logins from non-LAN IPs (basically any remote ssh connection cannot use a password)
- Lock account after X failed attempts – Fail2Ban
- Automatically block IPs with login failures – Fail2Ban
- Monitor hack attempts – Fail2Ban
Readers Ask About ... VPNs
Below is the 6th of 6 questions from a reader. I definitely don’t have all the answers, but I’m not short on opinions. ;)
Previous articles:
Part 1 – LVM+JFS+RAID | Part 2 – Service Virtualization |
Part 3 – Virtualizing Media Storage | Part 4 – Hosting Email |
Part 5 – Reverse Proxies
duijf asks:
Q6: It seems desirable to be able to VPN in to my network at any time, if I decide to set up said service, does any device in my internal network need to connect before it is discoverable?
Sorry, but I don’t understand the question entirely. Discoverable? That confuses me. This isn’t a game console. Your VPN client and server will need to know about each other explicitly. Not to worry, that isn’t very difficult to setup. There are just a few details.
Googlebot Random HTTP-GET Requests 1
I was going through the blog server logs today looking for odd, unexpected requests. Attended a Linux Security Meeting last evening that has me thinking … I see all the normal myphpadmin / dbadmin requests and other hack attempts for tools that we don’t use here. All the index.php requests are worthless / harmless. In the 404 list were lots of random strings requested at the top level of the blog. To me, these strings look like passwords from some password management tool. Hummm.
Readers Ask About ... Reverse Proxy Servers
Below is the 5th of 6 questions from a reader. I definitely don’t have all the answers, but I’m not short on opinions. ;)
Previous articles:
Part 1 – LVM+JFS+RAID | Part 2 – Service Virtualization |
Part 3 – Virtualizing Media Storage | Part 4 – Hosting Email
duijf asks:
Q5: Do I need a reverse proxy if I ? I’ve read about proxy servers on TheFu’s blog that filter internal traffic (if you read this, in the end I liked the idea a lot more than at first). Is this even the same thing? If this is to happen, is it correct that I’d need two NICs and bridge the connection from the router to the internal network? If so, can I get rid of the router? We do use it for telephone access too.
Readers Ask About ... Hosting Email
Below is the 4th of 6 questions from a reader. I definitely don’t have all the answers, but I’m not short on opinions. ;)
Previous articles:
Part 1 – LVM+JFS+RAID | Part 2 – Service Virtualization | Part 3 – Virtualizing Media Storage
duijf asks:
Q4: Maybe I’ll host the email for my own domain, what do I have to know? (ISPs, configuration, internal mail)
Envelope Printing
This article is just for me to recall how to print envelopes.
Using LibreOffice, use the Insert —> Envelope menu.
- Addressee is the TO field.
- Set the paper to landscape.
- look at the print preview – move the location box as needed.
- Use the front feed for the Samsung printer.
- Insert the envelope with the print-side up with the normal fold opening from the center and down to the left of the printer. You will read the envelope from the right-hand side of the printer looking left.
If this helps someone else, I’d be shocked. OTOH, I don’t use paper envelopes very often, so having this written down somewhere means fewer throw way envelopes due to failed printing attempts.
Readers Ask About ... Using Virtualization with Media Storage 1
Below is the 3rd of 6 questions from a reader. I definitely don’t have all the answers, but I’m not short on opinions. ;)
Previous articles:
Part 1 – LVM+JFS+RAID | Part 2 – Service Virtualization | Part 3 – Virtualizing Media Storage | Part 4 – Hosting Email
duijf asks:
Q3: I intent (sic) to provide quite a lot of media to my internal network, if I choose for virtualisation, will the VMs be able to access the disk space outside of the container? I do not want to create TB size containers (or should I?). I will probably use the SMB protocol here.
Readers Ask About ... Virtualization of Services 1
Below is the 2nd of 6 questions from a reader. I definitely don’t have all the answers, but I’m not short on opinion. ;)
Part 1 – LVM+JFS+RAID | Part 2 – Service Virtualization | Part 3 – Virtualizing Media Storage | Part 4 – Hosting Email
duijf asks:
Q2: I read everywhere about Virtualisation, should I directly install packages to the base system to provide services, or should I virtualise all services? What are the advantages here?
Advantages of Virtualization
The list of advantages is long, but with those advantages comes a few disadvantages. I cannot hope to point out all the advantages, so I’ll limit it to just the main ones.
Blog Database Corruption Solved
Sometime on Monday the database that we run our blog software on became corrupted to the point that accessing the blog wasn’t possible for hours, perhaps many, many hours.
I don’t know how long the error existed, just that I created a few new articles in the morning and didn’t check back until late afternoon to see the process eating 99.99% of the available CPU AND not serving any pages.
Increase Virtual Partition Storage for VirtualBox
This weekend, my 3 yr old VirtualBox VDI storage for this, my primary virtual machine, was getting close to 100% filled. It was a 10G partition that started out as a 6.06 installation, then was upgraded to 8.04 and finally to 32-bit Ubuntu Server running 10.04. To get a GUI, I added LXDE a few minutes after the 10.04 upgrade about a year ago. So as I wanted to start a new development project leveraging PerlBrew to manage different versions of entire Perl versions, libraries and CPAN modules, I knew the little space remaining would not be enough.
I did a little research before I began. The web pages that I found seemed to be taking the long way around to solve a fairly easy issue. They wanted users to download some tool, which was completely unnecessary. Anyway, below the shortest, easiest, way to increase the available storage in a VDI-based virtual machine.