I'm not TOO concerned about the SSH attempts on my server. From April 4 until now I have about 26k unique login attempts on my mail server. I also have hundreds of IPs in my bruteforce table. Best thing is good SSH policy, and some filtering like you have. I have a fun setup that throws abusers into a 1kbps queue :)
I think I would go for a VPN to the server, only put the ssh in the VPN network. On top oh that, preferably have a home automation thingy that physically shuts the power off the VPN on or off (or a switch behind or before the VPN server). So it's only accessible when you use it. Of course the remote switch can be hacked, but not much damage done when that happens. Try to hack into a network with a switched off switch.
I think rate limiting the connections will definitely reduce the resource usage on the server. If you want to block to any IP except your home IP, then you will need to make sure that you have a VPN setup for your home router so that you can connect to the server when you are out and about. When it comes to blocking other regions, that will still not block in region attacks. (i.e. boxes that have been hijacked from hackers or bots).
port knocking, better pf config, very strict ip white listing, rate limiting, blacklisting malicious ips, randomize ports, high security login (eg. disable password auth, enable key based auth), make sure minimal ports opened and filter required ports
If my server allowed SSH on the Internet, I would only allow key based authentication to the server, that would stop password brute force attacks. However, I have all my servers on Azure and connect to ssh/scp via VPN. On the odd occasion that a 3rd party needs access, I sometimes open a port, only allowing their IP address to access, then close down access after they have finished. What I also use for contractors and when I am not on my own gear, is use Azure bastion which is like a jump box which works well for SSH and RDP access.
I've had my desktop ssh server get used as part of a denial on another server once even though they had no valid username/password; defaults severly limited compared to what they tried to get it to do but helping was still bad. The handbook describes blacklistd to avoid that attack though there are other tools to achieve the same result; that is to stop communication after a # of attempts but not rate limiting the traffic and doing so makes for a very noisy messages log. The author of the book of pf covers how to setup limiting data rate for active connections on his webpage and in his book if you want to have a go. I had an idea to push it even further but never got around to testing it.
You evil man, now I have to learn Discord too. But thanks for doing something on PF. I´m in the process (measured in years...) of building a PF router. Speaking of PF, did you know that OpenBSD 7.5 was released a few days ago?
There are countless bastards out there - humans and bots - who will attack your server 24/7 so hardening your server is the proper course of action. Fail2ban and ssh guard are essential tools. Using a non standard port is of limited benefit, as attackers will find the other port soon enough.
I have this issue with my NAS and luckily for me it's quite easy to geo block country's. So in fact I don't worry too much I only open up and allow countries that I would possibly take a vacation in. Obviously this is not water tight because you can use VPN but it does rule out a lot of low level scan stuff. Apart from that I do not use a rate limiter in fact I permanently block anyone so the list of IP addresses that are blocked will grow over time but that's cool because then I can share it with other people that want to block those IPs beforehand.
fail2ban is your friend for this, just remember to make it ignore your local lan addresses. It won't completely stop attacks, but it will temporarily block ips which keep repeating those attacks. Having been a freebsd user since 2.4.x days, I don't really like pf, been using ipfw for as long as it exists. It requires a bit more thought to setup, but removes all the 'wtf is it doing now' pf tends to have.
I am unsure of open source options but this seems like a perfect example for a Secure Access solution like Bomgar or numerous over companies provide. you access on a single https port, and depending on what rights you are granted it then allows you access to the target(s). granted these are enterprise class tools so they have a cost associated with them that you may not want to or be able to pay. and I have never looked into open source alternatives. but it would allow you to not use a VPN and close off all MGMT ports to the system. including from internal sources at the servers location if needed.
I'm not TOO concerned about the SSH attempts on my server. From April 4 until now I have about 26k unique login attempts on my mail server. I also have hundreds of IPs in my bruteforce table. Best thing is good SSH policy, and some filtering like you have. I have a fun setup that throws abusers into a 1kbps queue :)
I think I would go for a VPN to the server, only put the ssh in the VPN network. On top oh that, preferably have a home automation thingy that physically shuts the power off the VPN on or off (or a switch behind or before the VPN server). So it's only accessible when you use it. Of course the remote switch can be hacked, but not much damage done when that happens. Try to hack into a network with a switched off switch.
I do fail2ban + crowdsec + non standard ssh port + no password logins on wan (only keys) I still allow password logins via LAN/VPN.
I made my network simple. You can only access it through a VPN (which I also host at home). Makes life much easier. 🤪
SSH on a non-standard port, a SSH tarpit running on port 22, and when they give up fail2ban nails them.
I think rate limiting the connections will definitely reduce the resource usage on the server. If you want to block to any IP except your home IP, then you will need to make sure that you have a VPN setup for your home router so that you can connect to the server when you are out and about. When it comes to blocking other regions, that will still not block in region attacks. (i.e. boxes that have been hijacked from hackers or bots).
port knocking, better pf config, very strict ip white listing, rate limiting, blacklisting malicious ips, randomize ports, high security login (eg. disable password auth, enable key based auth), make sure minimal ports opened and filter required ports
If my server allowed SSH on the Internet, I would only allow key based authentication to the server, that would stop password brute force attacks. However, I have all my servers on Azure and connect to ssh/scp via VPN. On the odd occasion that a 3rd party needs access, I sometimes open a port, only allowing their IP address to access, then close down access after they have finished. What I also use for contractors and when I am not on my own gear, is use Azure bastion which is like a jump box which works well for SSH and RDP access.
I've had my desktop ssh server get used as part of a denial on another server once even though they had no valid username/password; defaults severly limited compared to what they tried to get it to do but helping was still bad. The handbook describes blacklistd to avoid that attack though there are other tools to achieve the same result; that is to stop communication after a # of attempts but not rate limiting the traffic and doing so makes for a very noisy messages log. The author of the book of pf covers how to setup limiting data rate for active connections on his webpage and in his book if you want to have a go. I had an idea to push it even further but never got around to testing it.
You evil man, now I have to learn Discord too. But thanks for doing something on PF. I´m in the process (measured in years...) of building a PF router. Speaking of PF, did you know that OpenBSD 7.5 was released a few days ago?
There are countless bastards out there - humans and bots - who will attack your server 24/7 so hardening your server is the proper course of action.
Fail2ban and ssh guard are essential tools. Using a non standard port is of limited benefit, as attackers will find the other port soon enough.
I have this issue with my NAS and luckily for me it's quite easy to geo block country's. So in fact I don't worry too much I only open up and allow countries that I would possibly take a vacation in. Obviously this is not water tight because you can use VPN but it does rule out a lot of low level scan stuff. Apart from that I do not use a rate limiter in fact I permanently block anyone so the list of IP addresses that are blocked will grow over time but that's cool because then I can share it with other people that want to block those IPs beforehand.
do you have to provide long lists of addresses or is there a simpler way? or do you have something look up the address and then do logic?
have you ever installed openstack on freebsd? do you recommend it?
fail2ban is your friend for this, just remember to make it ignore your local lan addresses.
It won't completely stop attacks, but it will temporarily block ips which keep repeating those attacks.
Having been a freebsd user since 2.4.x days, I don't really like pf, been using ipfw for as long as it exists. It requires a bit more thought to setup, but removes all the 'wtf is it doing now' pf tends to have.
Does changing the ssh port actually do anything when there nmap?
i been obsessed om server hardening lately myself lol do you have any honeypots setup on freebsd servers?
I use blacklistd because it's part of the operating system and it's work instantly without checking log files.
I do fail2ban and keys only/non root only, i get between 5/10 attempts that go through per hour, i am fine with that, zero chance they get in
Endlessh ... Make them wait :)
What about a port knocker?
What you need is “port knocking”… that will fix all your issues…. Lookout in the ports for Security/Knock
Why are you exposing SSH to the net instead of using an overlay network like Tailnet?
I do fail2ban, crowdsec and ufw limit 22, no root login keys only. 🤔
Valium is a wonderful thing
Setup a VPN server and allow only that IP
I advice ssh guard
I am unsure of open source options but this seems like a perfect example for a Secure Access solution like Bomgar or numerous over companies provide. you access on a single https port, and depending on what rights you are granted it then allows you access to the target(s). granted these are enterprise class tools so they have a cost associated with them that you may not want to or be able to pay. and I have never looked into open source alternatives. but it would allow you to not use a VPN and close off all MGMT ports to the system. including from internal sources at the servers location if needed.
:)
🙃
Do you delete comments?
I think yt does rather aggressively. I had one get deleted off of this video.
YT seems to delete any comments with links or terms it doesn't allow. I can't say what those terms are or you won't be able to read this comment. 😅
7:13 to 7:14 needs more censoring.
try crowdsec
Ai triggered and managed randomized touches … it’s 2024 👽🛸🌈🌎🌍🌏✌️😎💕