Post AwXU22S9xRcbmlhBSq by cjd@pkteerium.xyz
(DIR) More posts by cjd@pkteerium.xyz
(DIR) Post #AwXIZY2YL9OprCvjsW by jae@darkdork.dev
2025-07-26T20:18:10.372639Z
1 likes, 0 repeats
you have a *nix host on the internet, you're wanting to guard against bruteforce ssh attemptsdo you..at the end of the poll, i will explain how i am setup
(DIR) Post #AwXLPzdfArqYQ3QKw4 by pwm@darkdork.dev
2025-07-26T20:50:05.470755Z
1 likes, 0 repeats
@jae I would fail2ban + key only (what I do for all my boxes). You can also crank the fail2ban rules to kick in after only one fail, and configure sshd with a very short grace period to authenticate, since you can't fat finger keyauth.Nonstandard port is fine until it isn't, something like port knocking would be more useful there though imho. Super paranoid you could restrict ssh to only over wireguard interface so long as you can reliably get into a recovery terminal reliably. Though I think they've got about the same chance of rolling your wire guard key at random as they do your ssh key
(DIR) Post #AwXMPmlx6vn4T9lYES by jae@darkdork.dev
2025-07-26T21:01:13.318943Z
2 likes, 0 repeats
@pwm first off, good analysis and shows you're thinking thoroughlyI would fail2ban + key only (what I do for all my boxes). You can also crank the fail2ban rules to kick in after only one fail, and configure sshd with a very short grace period to authenticate, since you can't fat finger keyauth.this is a frequent approach i see (and have used before) if it works and doesn't introduce complexity, keep it up. to note, fail2ban is great, but given that it's written in python it's not very fast at what it does and taking into account a large-scale campaign, the box likely will tip over on the typical frantech special/lowend shxtbox. sshguard is in c, faster, but the focus is ssh protocol/ports doesn't have fancy bells and whistles like fail2ban does.Nonstandard port is fine until it isn't, something like port knocking would be more useful there though imho. knocking with say knockd would be pretty good, at least for obscurity. i wouldn't rely on it as a single defensive strategy though. let's say you have knocking setup. between stealth-scan, statistical analysis, and brute-guessing sequences it's possible to bypass. not trivial, but very doable.Super paranoid you could restrict ssh to only over wireguard interface so long as you can reliably get into a recovery terminal reliably. Though I think they've got about the same chance of rolling your wire guard key at random as they do your ssh keylikely the most sound solution. if they can't see your private key for wireguard, there's no way they're going to guess it. same with ssh key. all these things are only as secure as how well you hold onto them. i'd pushback against the thought of being super paranoid. this is 2025, it's almost impossible to be paranoid enough when running systems. let's see what others come up with
(DIR) Post #AwXN37JafTJZTUFq8u by phnt@fluffytail.org
2025-07-26T21:08:21.974928Z
0 likes, 1 repeats
@jae @pwm >but given that it's written in python it's not very fast at what it does and taking into account a large-scale campaign, the box likely will tip over on the typical frantech special/lowend shxtbox.It's fine even on a :francisco: shitbox, just don't throw reverse proxy logs at it and you'll be fine. Depending on distro configuration, you might also encounter high CPU usage after fail2ban or full system restart as it is a bit retarded and drops IPs one at a time. Changing the config to use an ipset fixes this. What I don't like about fail2ban is it's complexity and usage of Python. There have been already RCE vulnerabilities in it and since it's running as root all the time, the attack surface is large. I never put it on logs that can be to a large extent manipulated from the outside like nginx/apache logs.
(DIR) Post #AwXN7VL5Hy7x8t2sEa by kirby
2025-07-26T21:09:11.492572Z
1 likes, 0 repeats
@jae a and c, i have no need for extra options if I'm just setting up a hobby project
(DIR) Post #AwXN9s49lGvoCxFvl2 by kirby
2025-07-26T21:09:37.155535Z
0 likes, 0 repeats
@jae plus you should probably allow only key auth but I'm assuming you don't want to do that for some reason
(DIR) Post #AwXO8EFCQtCCMpCaUS by jae@darkdork.dev
2025-07-26T21:20:29.836609Z
1 likes, 0 repeats
@kirby i omitted key auth from the poll. if someone is using password auth they deserve whatever comes their way
(DIR) Post #AwXOOiO485XgUHD6CO by jae@darkdork.dev
2025-07-26T21:23:26.351794Z
2 likes, 0 repeats
@phnt @pwm for many reasons you unpacked i won't use it anymore. ipset is a nice approach unless your ipset has massive amounts of /32 or /29 vs supernet cidr. ive seen it choke this way. then again someone was trying to use it as a way to deflect ddos slam time. wrong tool.
(DIR) Post #AwXOnJo0ezQJUM4qrQ by pwm@darkdork.dev
2025-07-26T21:27:53.819938Z
0 likes, 0 repeats
@jae tytypoint taken, I don't have tons of experience designing for large scale targeted attacks so it shows in the analysis. I almost said something about being aware of file i/o since it's python, and you could maybe dos it easier than other stuff> it's almost impossible to be paranoid enough when running systems. Touché
(DIR) Post #AwXOtfJpaTOJwqzJWS by jae@darkdork.dev
2025-07-26T21:29:02.129457Z
1 likes, 0 repeats
@pwm there's no right or wrong answer here. it's just to think openly about problems. :)
(DIR) Post #AwXP1Ha7j2sUe4EzRo by phnt@fluffytail.org
2025-07-26T21:30:26.812086Z
0 likes, 1 repeats
@jae @pwm Main sshd ipset currently sitting at 1.2K banned individual IPS and applies within few seconds. But I'm using firewalld, which is kinda exotic and very red hat brained. It's a stupid python wrapper around iptables/nftables, but I like it... until it breaks, falls over and drops all incoming connections after an interface got dropped by the kernel and reappeared later. Maybe the iptables ipset backend has performance issues.
(DIR) Post #AwXPALHnK29AjxzHu4 by theorytoe@ak.kyaruc.moe
2025-07-26T21:31:51.873740Z
0 likes, 0 repeats
@jae i also usually disable password auth for ssh and go pure key-based authenticationthough I have never heard of sshguard
(DIR) Post #AwXPKbI8fWK3HD2Xjs by theorytoe@ak.kyaruc.moe
2025-07-26T21:33:47.207330Z
1 likes, 0 repeats
@jae shit I forgot to also mention that I have fail2ban and nonstd port. I havent had much issue with nonstandard ssh ports as long as ive been running my stuff
(DIR) Post #AwXQAFEdv269vc1xq4 by mr64bit@p.mr64.net
2025-07-26T21:43:16.141956Z
2 likes, 0 repeats
@theorytoe @jae i know sshguard is open source, but why does its website look like it wants me to give it my email address to receive the product brochure and trial license?
(DIR) Post #AwXQJrEa0cBGO0aKUC by theorytoe@ak.kyaruc.moe
2025-07-26T21:44:48.402423Z
0 likes, 0 repeats
@mr64bit @jae I LOVE CORPORATE WEBSITES :lfg: idk man devs are weird sometimes
(DIR) Post #AwXQPJuQp6UYlglWe8 by cjd@pkteerium.xyz
2025-07-26T21:45:57.820969Z
0 likes, 0 repeats
(Disable password auth and stop worrying about internet background radiation)Definitely don't install lock-me-out-of-my-machine.
(DIR) Post #AwXQdyHBXKD61COWAq by mr64bit@p.mr64.net
2025-07-26T21:48:38.624015Z
1 likes, 0 repeats
@theorytoe @jae my coworkers and I got a good laugh last week because our NOC sent out an announcement saying they were restarting veeam. we're like "wtf is veeam", and after clicking around their website for 10 minutes we were still like "wtf is veeam"
(DIR) Post #AwXRiWZy2apbWGumHY by jae@darkdork.dev
2025-07-26T22:00:37.847541Z
0 likes, 0 repeats
@theorytoe it's usually fine to shift the port up high. ive found mostly massscans and things like sensys might pick it up otherwise rather quiet.
(DIR) Post #AwXRpgVNXCygKcBNlw by jae@darkdork.dev
2025-07-26T22:01:56.489465Z
1 likes, 0 repeats
@cjd what does internet background radiation mean?
(DIR) Post #AwXShpXEB67xyTrlDs by logical_map@mastodon.social
2025-07-26T22:09:33Z
0 likes, 0 repeats
@jae it has been 20 years, but back when I managed my *NIX host on the wild wild internet, i would listen on an alternate port and use portsentry to block anybody that came knocking on 22 or anything else but 80 and my SSH port. I ran my own host for a decade and never got hacked (OK... once I got hacked through PHP Nuke... yes... embarassing... but never through SSH) To brute force, somebody would have to repeatedly get dropped on different IPs until they found my port.
(DIR) Post #AwXSqfzB3E62xr9orw by jae@darkdork.dev
2025-07-26T22:13:18.927132Z
0 likes, 0 repeats
@logical_map haven't heard anyone mention portsentry since about 20+ years ago. brings back memories (thank you btw).i don't think any of this is embarrassing. even the most "secure" systems are designed by humans. logically speaking a human can destroy what human creates. or so the legend goes :-)
(DIR) Post #AwXU22S9xRcbmlhBSq by cjd@pkteerium.xyz
2025-07-26T22:26:34.336879Z
0 likes, 0 repeats
Random connection attempts, http wp-admin, etc etc etc.I call it the background radiation of the internet, because it's always there.
(DIR) Post #AwXU8seulrl3R6vMDA by dcc@annihilation.social
2025-07-26T22:27:50.577981Z
0 likes, 1 repeats
@jae VPN
(DIR) Post #AwXUAJUMVJCOw9fgcS by jae@darkdork.dev
2025-07-26T22:28:03.734701Z
1 likes, 0 repeats
@cjd oh i thought it was some fancy term. i dropped out of school at age 14. no formal education.
(DIR) Post #AwXUI4cTfeUb8cASY4 by jae@darkdork.dev
2025-07-26T22:29:24.089967Z
2 likes, 1 repeats
@dcc can you be more specific?
(DIR) Post #AwXUKptkrQuyLiZAie by dcc@annihilation.social
2025-07-26T22:30:01.033935Z
0 likes, 1 repeats
@jae You can't access ssh unless you ssh inside the network by connecting to the local vpn.
(DIR) Post #AwXUQVPRwzpSXf5wLw by jae@darkdork.dev
2025-07-26T22:30:58.342793Z
0 likes, 0 repeats
@dcc that makes sense. saying vpn can mean many things.
(DIR) Post #AwXWE4ac2ZibnKW1ZY by m0xEE@breloma.m0xee.net
2025-07-26T22:51:09.720936Z
0 likes, 0 repeats
@theorytoe @jae This: fail2ban + non-standard port — not disabling password authentication though, because you always happen to need remote access precisely when you don't have your shit on you.
(DIR) Post #AwXWyjRQUEL9obT2P2 by ThatWouldBeTelling@shitposter.world
2025-07-26T22:59:38.827434Z
0 likes, 1 repeats
@mr64bit @theorytoe @jae :cirnoDoubt: While the site is the usual corporate hideous, right up front it clues you in offering "data resilience" that "restores your data anytime, anywhere." The Products item right away tells you it does backups ... which of course no one really cares about, just restores, thus I can forgive the failure to say "backup" until below the first screen full of front page text.