Also change the port number, create a user acct with 'sudo' rights, use that acct for the ssh key, and then turn off root ssh access. That's my routine, anyway.
Also change the port number, create a user acct with 'sudo' rights, use that acct for the ssh key, and then turn off root ssh access.
Same, though usually I add in Fail2ban. Using ed25519 for your keys is also easy and better. For serious business, you need to fiddle with the ciphers and stuff too, that's where...
Same, though usually I add in Fail2ban.
Using ed25519 for your keys is also easy and better.
Hi Tony, thanks for the comment. I also run fail2ban and these days prefer ed25519 keys over the default rsa-sha2-512. It's even a shorter line to copy and past over IM ;-) Cheers for mentioning...
Hi Tony, thanks for the comment. I also run fail2ban and these days prefer ed25519 keys over the default rsa-sha2-512. It's even a shorter line to copy and past over IM ;-)
Cheers for mentioning ssh-audit, I'll have a look.
Thanks for the feedback. I tried to keep the video simple, but perhaps I should've covered more. For the record, I too run sshd on a non-standard port, and turn off root login (that should be the...
Thanks for the feedback. I tried to keep the video simple, but perhaps I should've covered more.
For the record, I too run sshd on a non-standard port, and turn off root login (that should be the default IMO).
Some people (not me) will take it a step further and toy with malicious login attempts by using an ssh tar pit. Endlessh is one example. It sends an endless ssh banner to requesters, thereby tying...
Some people (not me) will take it a step further and toy with malicious login attempts by using an ssh tar pit. Endlessh is one example. It sends an endless ssh banner to requesters, thereby tying them up rather than letting them hit your real ssh server which you host on an alternate port.
The purpose is to put your real SSH server on another port and then let the script kiddies get stuck in this tarpit instead of bothering a real server.
In concept it's pretty funny. The reason I won't use it is because it potentially attracts a lot of angry attention by someone who already has malicious intent. I would prefer they just see my...
In concept it's pretty funny. The reason I won't use it is because it potentially attracts a lot of angry attention by someone who already has malicious intent. I would prefer they just see my servers as no different from the thousands of other servers that they tried a few common passwords on and moved on from.
Also change the port number, create a user acct with 'sudo' rights, use that acct for the ssh key, and then turn off root ssh access.
That's my routine, anyway.
Same, though usually I add in Fail2ban.
Using ed25519 for your keys is also easy and better.
For serious business, you need to fiddle with the ciphers and stuff too, that's where https://github.com/jtesta/ssh-audit/ comes in. https://www.sshaudit.com/hardening_guides.html
Hi Tony, thanks for the comment. I also run
fail2ban
and these days prefered25519
keys over the defaultrsa-sha2-512
. It's even a shorter line to copy and past over IM ;-)Cheers for mentioning
ssh-audit
, I'll have a look.Thanks for the feedback. I tried to keep the video simple, but perhaps I should've covered more.
For the record, I too run
sshd
on a non-standard port, and turn offroot
login (that should be the default IMO).Some people (not me) will take it a step further and toy with malicious login attempts by using an ssh tar pit. Endlessh is one example. It sends an endless ssh banner to requesters, thereby tying them up rather than letting them hit your real ssh server which you host on an alternate port.
I didn't know about Endlessh, thanks.
Nice.
In concept it's pretty funny. The reason I won't use it is because it potentially attracts a lot of angry attention by someone who already has malicious intent. I would prefer they just see my servers as no different from the thousands of other servers that they tried a few common passwords on and moved on from.