On 1/17/19 10:42 AM, Carlos E. R. wrote:
On 17/01/2019 19.31, Lew Wolfgang wrote:
On 1/17/19 5:49 AM, Per Jessen wrote:
Peter Suetterlin wrote:
Patrick Shanahan wrote:
if you are not running a server, don't install fail2ban.
Any reasoning for this? I definitely disagree. Anything that has an open ssh port should run it IMHO. And that's more than just servers.... Alternatively - use keys for ssh, and that problem is gone. Or if that's too cumbersome, move ssh to a higher port. Works wonders. Security through obscurity? What could possibly go wrong? Actually, it works fantastically. And arguably, it is not "obscurity".
Consider your door key: it has a number of notches, perhaps eight, in different height values, perhaps twenty (guessing, I'm not a locksmith). You can do the math and find out the number of combinations: it is finite and not astronomical. You can sequentially try every combination of "mechanical key values" and finally you open the door without "breaking" it. Ie, find the correct key.
This is the same: the attacker has to poll every port in order to find the correct one. Sixty something thousand combinations. It is just a key with not a huge number of combinations: and it works, only people that really want your machine try to enter. The scripts usually abandon and try another host.
Well, doesn't all security rely on obscurity? The goal should be to increase obscurity as much as possible. Crypto keys can be guessed, if you can throw enough guesses. But if you block access after a low number of failed guesses you've decreased your odds of being successfully guessed by huge amount. A full nmap scan of all ephemeral ports doesn't take all that long, and you could also use shodan. Once you discover the sshd port, you can start guessing/hacking/etc. Yes, a door key is an example of security through obscurity, and most of them are trivially easy to compromise. I've done it myself, even without carrying around a bag of all possible key combinations. I think the number of key combinations is less than one would think. Sure, moving sshd to an ephemeral port helps, but it's only an inconvenience to even a moderately skilled hacker. Using crypto keys and disabling username/password logins for public-facing servers is good, adding fail2ban or SSHGuard makes it even better. Then, if you allow port 22 access only from IP's that you own, you're golden. Defense in depth! Regards, Lew -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org