On 04/03/2021 17.49, Lew Wolfgang wrote:
On 3/4/21 5:26 AM, Carlos E. R. wrote:
On 04/03/2021 14.12, Per Jessen wrote:
Lew Wolfgang wrote:
And of course botnets also scan for open ports, and not just the obvious ones. I just checked on my underused server with a direct and static connection, and over a 75-minute period I had 869 ports scanned, 637 of them were unique ephemeral high-numbered ports. Botnets don't care about laws, and if your IP is static for very long, your hidden ssh port could be exposed. Yep, I can assure you they will be. Even if we use public key authentication, we still run ssh on a high port - on one server installed in 2015, there were no ssh attacks until 7 February 2021. Since 2907 login attempts.
On another, also installed in 2015, attempts started 1 November 2020, since then 136680. Static IPs?
We might have to go one step further: migrate the port randomly and periodically.
If you're really that paranoid, take a look at port knocking:
https://www.howtogeek.com/442733/how-to-use-port-knocking-on-linux-and-why-y...
Interesting. sequence: The sequence of ports someone must access to open or close port 22. The default ports are 7000, 8000, and 9000 to open it, and 9000, 8000, and 7000 to close it. You can change these or add more ports to the list. For our purposes, we’ll stick with the defaults. However, there is a router in front of my server machine. The current configuration is that, from internet I connect using ssh to some high port, and the router changes that incoming connection to another on port 22 to the correct machine on the LAN. To do what that article suggests, I would have to add three more rules to my router, which has a limited and arbitrarily small number of rules I can write. Not very feasible, but something to consider if the situation worsens.
Even that is security through obscurity, but an argument could be made that multiple levels of obscurity can only help.
Sure. :-) Another design could be sending innocuous looking pings to some predefined port and in some time sequence, perhaps with certain payload. If things get bad, we could change altogether the entry system to the ssh to some type of challenge response method, where what is sent changes every time, and doesn't rely on encryption (but can use it). Or combine with a phone. Two factor security. One method used long ago was to call (via phone) the server, the server would hang and call you back on a predefined number. -- Cheers / Saludos, Carlos E. R. (from 15.2 x86_64 at Telcontar)