[HN Gopher] What You Get After Running an SSH Honeypot for 30 Days
___________________________________________________________________
What You Get After Running an SSH Honeypot for 30 Days
Author : SofianeHamlaoui
Score : 487 points
Date : 2024-06-16 04:52 UTC (18 hours ago)
(HTM) web link (blog.sofiane.cc)
(TXT) w3m dump (blog.sofiane.cc)
| poikroequ wrote:
| I once tried hosting a web server at home by exposing ports 80
| and 443 to the Internet. Hours later I reviewed the logs,
| thousands of attempts to hack into my lil Linux server. It
| spooked me to say the least, so I switched to using cloudflare
| tunnels instead.
|
| Exposing ports on the Internet is dangerous, especially SSH.
| You're much safer using a proxy or gateway of some sort, or
| better yet a VPN if it doesn't need to be publicly accessible.
| INTPenis wrote:
| I noticed earlier this year while deploying a CoreOS VPS with
| terraform that sometimes you'd get an interesting IP that would
| receive incoming HTTP requests for interesting domains such as
| theguardian.com. I of course destroyed and re-deployed the VPS
| several times so the interesting IPs are lost to me, but it
| might be worth running a HTTP honeypot as well as an SSH one.
| aadhavans wrote:
| Out of curiosity, what are the ramifications of exposing ports
| 80 and 443? Can these ports even be 'hacked'?
|
| It doesn't seem terribly unsafe to me, especially if you're
| serving static pages.
| koito17 wrote:
| In my experience, most of the noise on my web server are bots
| with spoofed iPhone or Google Chrome user-agents. I see three
| kinds of traffic patterns.
|
| 1. bogus /wp-login.php requests, or endpoints of presumably
| insecure wordpress plugins. These bots are pretty dumb and do
| it non-stop, even if the server constantly responds with a
| 404
|
| 2. testing recent Apache vulnerabilities by POST-ing to
| something like /cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/sh . Even if
| your web server clearly communicates that it's not Apache,
| the bots still insist on testing Apache vulnerabilities. They
| also occasionally test vulnerabilities that exist in ancient
| Nginx versions.
|
| 3. less common, but bots that exist to scrape _something_
| from the internet. I remember two years ago seeing a bot
| whose sole purpose was to document as many registered, valid
| domain names as possible (I found out about this since they
| linked a website explaining who they were in their user-agent
| string)
|
| Overall, I would say the background noise of HTTP servers is
| tame compared to what you see for SMTP servers and, to some
| extent, SSH servers. I happen to also self-host e-mail; logs
| record failed login attempts about every second. They always
| pick a username like "admin" or "adm". There's also people
| who try using your SMTP server as a relay for spam.
| aadhavans wrote:
| Gotcha, thanks for the detailed response. I've seen the
| WordPress login attempts in my own web server logs, and
| that seems to be corroborated in your comment.
| fpoling wrote:
| For me the biggest source of noise in logs for a small site
| is the referrer spam. At some point like 12 years ago I
| enabled webalizer stats with a public link to the stats
| page. Soon I had to deal with massive amount of bot
| requests with http referrer pointing to porn and farmacy
| ads. That has not stopped after the public link was removed
| and the stats has started to use a public spam database.
| And the spam is still there after 12 years.
| tombrossman wrote:
| Matomo (self-hosted analytics, used to be called Piwik)
| maintain a list of referrer spam domains. I use it as a
| filter list with GoAccess and haven't seen referrer spam
| for a long time. Worth a look. https://github.com/matomo-
| org/referrer-spam-list
| hyperman1 wrote:
| I've added a /wp-login.php and friends that firewall-blocks
| the IP of the requester for a week. It greatly cuts down
| the bot noise.
| immibis wrote:
| My competing site can have <img
| src="https://yourdomain/wp-login.php"> and customers
| won't be able to view your site after that. Thanks for
| the free customers!
| sweetjuly wrote:
| Yep :) The real trick is to not be vulnerable to known
| issues, and then mitigate post-compromise like crazy on
| the off chance you get patch gapped or (very unlikely)
| zero dayed.
|
| Blocking IP addresses is extremely silly, especially in
| an IPv6 world where attacker can easily get access to
| gigantic numbers of addresses in hard to identify ways
| (there's no source of truth for what IPv6 range
| corresponds to one blockable "customer". Some get /56s,
| others get /48s, etc.). It's security theater which may
| well just break your service for real users.
| Beijinger wrote:
| Can you post the script?
|
| Obviously I assume you don't run wp. I think wordfence
| does something similiar.
| DEADMINCE wrote:
| It's probably just an nginx fail2ban jail or something
| that looks for the wp pattern.
| DEADMINCE wrote:
| > testing recent Apache vulnerabilities by POST-ing to
| something like /cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/sh .
|
| Are they really _recent_ vulns though?
| chipdart wrote:
| > Out of curiosity, what are the ramifications of exposing
| ports 80 and 443? Can these ports even be 'hacked'?
|
| These are the ports usually employed to serve HTTP and HTTPS
| traffic, which mean public-facing servers.
|
| Having a server listening to those ports is the precondition
| to have web servers running specific types of services, some
| of which have known vulnerabilities that can be and are
| exploited.
| ValtteriL wrote:
| Ports can't be hacked but the application listening on them
| can ;)
|
| You can have vulnerabilities on the server software and its
| configuration even if you are serving only static content.
| This should be unlikely if you use up-to-date battle-tested
| software like nginx without making crazy config changes.
|
| If you serve dynamic content, that may also have
| vulnerabilities that hackers can exploit.
| ozim wrote:
| 99.9999% of issues on 80/443 are apps run on the server not
| webserver itself.
|
| It is applications that you run on web server that are
| exploited.
|
| So serving static pages is safest thing you can do.
| e12e wrote:
| https://arstechnica.com/security/2024/06/thousands-of-
| server...
| mikhmha wrote:
| Yeah this is what keeps me away from self-hosting public facing
| stuff. To me its like opening a new pipe into your home that is
| open to the whole world. And I'm too carefree to get the
| settings down right. So I avoid it all with complete process
| isolation. Don't shit where you sleep!
| sureglymop wrote:
| But couldn't, you, within your home, separate it from
| everything else? I don't see how it's any more dangerous
| really.
| mikhmha wrote:
| I should clarify. When I mean self host it's for public
| facing applications that generate revenue. It involves some
| transaction in currency?value? between the user. Once money
| is involved you become a target. I don't want anything that
| could be traced to my physical address. I told you I'm
| careless, I'll eventually slip up on installing the patches
| or configuring something right.
|
| Public facing like serving some static webpages or blog,
| text content. Yeah do it.
| Nux wrote:
| Obviously you need to know how and if you don't then it's
| always going to look very daunting.
| waingake wrote:
| Is it? If you've got `PasswordAuthentication` disabled, only
| allow public key logins and keep your system up to date. Honest
| question.
|
| I self host my email ( docker-mailserver ) and host my personal
| website on an old laptop with a static IP. Have done for years
| now without issue.
| pkrotich wrote:
| The keyword is diligently keeping your system up to date!
| That said you'll still have exposure to zero day
| vulnerabilities and DOS attacks.
| kristopolous wrote:
| https://wiki.debian.org/UnattendedUpgrades Most distros
| have something like this.
| Beijinger wrote:
| This reminded me of:
|
| https://github.com/ajgon/self-hosted-
| mailserver/blob/master/...
| Fabricio20 wrote:
| But an attacker with one of the biggest vulnerabilities on
| earth (hell, ssh noauth 0day) would very likely use it
| against big cloud providers and infrastructure (isps and
| others) and not burn it on your home server! Keeping it
| reasonably up to date with your distro's cycle is probably
| enough for most people doing this home server thing.
|
| So of course, as things always are with security this is a
| matter of risk assessment and understanding your attack
| surface, a server with only public key and maybe on a
| special port goes a very long way, add fail2ban on top and
| i'd say it's probably fine for quite a while.
|
| But that does make me think... what if... a wormable noauth
| 0day like that on ssh or some other popular system... how
| fast could it replicate itself to form the biggest botnet..
| how long would it take, to take over all visible linux
| servers on the internet (so that your little home box ends
| up being a target)?
|
| I guess at that point you are limited by bandwidth, but
| since you can scale that with every compromised server...
| hope someone does the math on that one day!
| rcxdude wrote:
| Ipv4 is only 4 billion addresses. It doesn't actually
| take very long to just try all of them. If you're running
| a service exposed to the internet and it has a published
| exploitable vulnerability, it's just a matter of time
| before it gets exploited. (that said, that time does give
| a little buffer for patching)
| Beijinger wrote:
| "I self host my email "
|
| Is this still possible? Are your emails getting delivered?
|
| Downvoted. I don't know when the downvoter tried the last
| time to "host their own email". Yes, DMARC, DKIM und SPF.
| Good luck trying to get your email deliverd to t-online or
| something.
|
| https://forum.hestiacp.com/t/t-online-curious-story-about-
| th...
|
| They may even check if your domain has an "imprint". I kid
| you not. I use my own domains too, but I piggyback with
| infomaniak.com
| johnklos wrote:
| > Good luck trying to get your email deliverd to t-online
| or something.
|
| People who say it cannot (or should not) be done should not
| interrupt those who are doing it.
|
| The dismissiveness is likely why you are downvoted, I'm
| guessing. The suggestion that because it's hard for you and
| therefore you're surprised others are doing it isn't a good
| look.
|
| Self hosting email isn't that hard, and there are many
| solutions for all sorts of self hosting issues. That's a
| topic for another discussion, though.
| Beijinger wrote:
| "Self hosting email isn't that hard". Self hosting is
| super easy. Getting your emails delivered is hard. And I
| am not even talking SPAM folder here (see t-online
| example).
|
| Smart comment from reddit:
|
| "The problem with selfhosting email, unlike selfhosting
| services like Jellyfin or Nextcloud, is that you rely on
| other people's servers to play ball with you, but they
| often don't. Or they play for a while and then suddenly
| decide not to without telling you. It's unpredictable and
| we selfhosters don't have enough control over that."
|
| This describes it pretty well.
| pja wrote:
| > Is this still possible? Are your emails getting
| delivered?
|
| Mine are. Although it probably helps to have a static IP
| with a 25 year long clean history.
|
| Are there very occasional glitches? Sure. But I've seen
| ISPs drop everything from GMail on the floor for no obvious
| reason. I've seen _GMail_ drop GMail email before. Same for
| every other large email provider.
|
| To date I haven't seen any reason strong enough to push me
| to switch to a centralised email host. That day may yet
| come of course.
| cherryteastain wrote:
| I fo it too and can deliver to gmail/office365 etc
| addresses no problem.
| gsich wrote:
| yes and yes.
|
| Selfhost does not imply residential IP.
| hggh wrote:
| > Is this still possible? Are your emails getting
| delivered?
|
| Yes and yes (if DMARC/DKIM/SPF configured correctly).
| A1kmm wrote:
| I self-host my email, and have not really had problems
| delivering normal quantities of personal email (except a
| bit of pain for Microsoft to accept mail in the first
| place, but it can be sorted quickly) - as long as you do
| DMARC / DKIM / SPF.
|
| I've never heard of t-online before or tried to send an
| email there to my knowledge... if one provider I've never
| heard of would refuse to accept my mail if I ever sent
| something to them, that's more of a them problem than a me
| problem - but it certainly isn't the norm for other
| providers.
| Beijinger wrote:
| "PasswordAuthentication disabled" not sure I can even do this
| on my shared BSD server. I have ssh access via pw and need
| it. Is this really dangerous?
| johnklos wrote:
| It is, if for no other reason than you never know when some
| other user has a guessable password. You should switch
| everyone to ssh keys. It's a good excuse to learn :)
| Scramblejams wrote:
| Yes, it's risky to accept password auth if someone sharing
| the box with you has a poor password. They could do things
| like:
|
| . Install a spam or brute force password bot, which could
| get the machine kicked off its internet connection (in
| addition to whatever havoc it causes first)
|
| . DoS the server by filling up the disk or using too much
| RAM (are quotas enforced?)
|
| . Exploit a local vuln to get root, if such exists on that
| box. (Is the kernel promptly patched and the box rebooted?)
|
| . Explore other users' directories (are permissions locked
| down correctly across users?)
|
| ...and more thrilling possibilities!
|
| Embrace key auth. Future you will thank you.
| sneak wrote:
| Yes. Authenticating with passwords is obsolete and
| dangerous. Use keys and disable password auth.
| tpoacher wrote:
| And if you really like passwords, you could always enable
| both, too!
| fragmede wrote:
| How good is your password? If it's long, with special
| characters, it's fine. Install fail2ban. The problem with
| auth keys is you can't get into the server if you don't
| have your laptop/phone/NFC device because you got
| pickpocketed/mugged?
| kristopolous wrote:
| I've been doing it for 25 years. It's fine.
| Hendrikto wrote:
| "Works for me." does not really answer the question.
|
| Having a 25 year history might be why your mail gets
| delivered, while many people trying to self-host have
| constant and unpredictable deliverability issues.
| kristopolous wrote:
| It's more an advocacy against security paranoia.
|
| You will always get automated attacks, constantly. But
| they're almost all doing stuff like trying to exploit a 12
| year old bug in Wordpress or IIS.
|
| They're about as sophisticated as any other scammer on the
| net.
| nurettin wrote:
| Don't worry, they are usually Russian/Chinese ips scanning for
| 5 year old php exploits. I've been exposing ports to the
| internet for decades with no issues. Always block ssh password
| and keep software relatively up to date. If you are very
| paranoid, make a vps beacon and remotely tunnel ports from your
| lab to it. That way you only expose the beacon.
| zelphirkalt wrote:
| I wonder, what is the issue with authenticating by password.
| If you choose a password of lets say 64 random chars,
| shouldn't it be pretty safe? Or is there something in the
| password method itself, that is inherently weak?
| cess11 wrote:
| Sure, they probably won't crack that, but there are other
| things to consider as well. A sshd on IPv4 port 22 that
| accepts password auth attracts attention, and you'll spend
| CPU cycles constantly checking credentials from very large
| database dumps that float around. In my experience it leads
| to more log noise too, it seems many bots will discard your
| IP and stop pestering it if passwords aren't accepted.
|
| So in practice you'll probably also use something like
| fail2ban, firewall rules that only allow connections from
| certain IP blocks, things like that.
| KAMSPioneer wrote:
| There are still advantages to public key auth. Sibling
| comment mentioned resource use, but also consider ease of
| use: are you setting a random 64-character password on
| every machine that has SSH server installed? Would it not
| be easier to generate one ed25519 keypair, apply a
| reasonable passphrase (and/or use disk encryption), and
| then you have secure auth on all your machines without a
| password manager?
|
| If you're _not_ setting unique 64-character passwords per
| server, then you should consider what happens if your super
| strong password is discovered -- an attacker would have
| access to all your boxes. Compromising a key is harder than
| compromising a password.
| denton-scratch wrote:
| > Or is there something in the password method itself, that
| is inherently weak?
|
| Your 64-character high-entropy password might be safe;
| other users on your system might baulk at memorising/typing
| in 64 random chars, and choose a less-secure password
| instead. With SSH keys, that can't happen.
| a_dabbler wrote:
| The first benefit is some bots won't bother testing
| passwords as the SSH error message tells them the server
| doesn't use password auth. The second benefit is if your
| server is compromised it's quite easy for a rootkit to
| hijack SSH and steal your password when you login (and then
| abuse that on other servers you use it), the same is not
| true with a key and it is much harder for a rootkit to
| abuse as long as you only use the key on your local machine
| (there are strong protections against SSH handshake MITM
| attacks afaik)
| Hendrikto wrote:
| > Or is there something in the password method itself, that
| is inherently weak?
|
| You have to send your password/hash. With PKC, your private
| key never leaves your device. It can even live on a
| separate security key. All you ever send are signed
| messages, never your key.
| chipdart wrote:
| > I once tried hosting a web server at home by exposing ports
| 80 and 443 to the Internet. Hours later I reviewed the logs,
| thousands of attempts to hack into my lil Linux server. It
| spooked me to say the least, so I switched to using cloudflare
| tunnels instead.
|
| Isn't this hypothetical risk mitigated or outright eliminated
| by using stateless apps and periodically redeploying them in
| the spirit of cattle?
| metadat wrote:
| Depends, If they get into the stateless app and hoist that to
| penetrate into other stuff in your network, they might be
| able to install an APT.
| chipdart wrote:
| > (...) they might be able to install an APT.
|
| As you're periodically doing clean redeployments, that's
| not a concern isn't it?
| immibis wrote:
| Clean deployments of your entire home network?
| spc476 wrote:
| I checked the logs for May for one website I run---65% of
| failed requests were for PHP scripts (mostly Wordpress). I
| don't run PHP so I don't worry. The rest of the requests were
| bots that can't parse HTML [1] and other weird requests. I've
| been running a webserver, SMTP, SSH and DNS for over 25 years
| and only once had an issue due to an inside job [2] twenty
| years ago (hard to protect against those).
|
| [1] https://boston.conman.org/2019/07/09.1
|
| [2] https://boston.conman.org/2004/09/19.1
| JackSlateur wrote:
| Every things on the internet is doing exactly this "dangerous
| things", with the exact same means you have at your disposal.
|
| Exposing a service is not dangerous.
|
| It is the same thing when you go to the sub and many people ask
| you for money : they keep asking, but that will not lead you to
| your bank account.
|
| So you have log, this is not an issue, this is not something to
| be scared of or even cared of.
|
| Just ignore them, as they are worthless and part of the v4
| internet.
| DEADMINCE wrote:
| The traffic doesn't matter if you are sure your setup is
| secure. Key auth only for SSH, reverse proxy in front of your
| actual web server and use secured containers or VMs for each
| service. Throw in fail2an or crowdsec and that's more than
| enough for a little home linux server.
| danielovichdk wrote:
| I am not sure why this should keep anyone from hosting their own
| servers and services.
|
| I find it positive to know that whatever and whomever expose
| anything on the Internet someone will try to exploit it.
|
| For 443 and 80, why the concern ? Outsiders can try all they want
| bit if you are certain the software you use is secure, there will
| be no cigar.
|
| I'd much rather have these things out in the open than hiding
| things away with some obscure thought about that should help
| anything.
|
| If something is difficult do more of it. The same goes for
| understanding security.
| tjoff wrote:
| > _if you are certain the software you use is secure_
|
| The entirety of the problem is that you can't be certain the
| software you use is secure.
| danielovichdk wrote:
| Exactly. And to overcome this you as a user of that software
| has to be aware of that specific software.
|
| Most people doesn't give a shit, they pull down or introduce
| dependencies and think "wauw that was easy and fast".
|
| Of course there is secure software, otherwise we wouldn't be
| able to live as we do.
| lazide wrote:
| As history has shown repeatedly, there is no secure
| software - just software that folks have not yet discovered
| how to exploit widely and effectively yet.
| hollerith wrote:
| That gives the misleading impression that it is
| impossible to create and maintain a truly secure software
| system.
| lazide wrote:
| I have yet to find any such system - given enough time
| and exposure.
|
| What makes you think such a thing is possible? In
| reality, not theoretically.
|
| I also have yet to find an unpickable lock, given the
| same constraint. Locks still have utility.
|
| But only fools protect something very valuable with just
| a lock.
| hollerith wrote:
| >What makes you think such a thing is possible?
|
| The main source of my confidence is extrapolation from
| the results of successful initiatives to improve
| security. Rust is one such initiative: at relatively low
| cost, it drastically improves the security of "systems
| software" (defined for our purposes as software in which
| the programmer needs more control over resources such as
| compute time and latency than is possible using automatic
| memory management). Another data point is how much Google
| managed to improve the security of desktop Linux with
| ChromeOS.
|
| There's also the fact that even though Russia has enough
| money to employ many crackers, Starlink's web site
| continued operating as usual after Musk angered Russia by
| giving Starlink terminals to Ukraine -- and how little
| damage Russia has managed to do to Ukraine's computing
| infrastructure. (It is not credible to think that Russia
| has the ability to inflict devastating damage via
| cracking, but is reserving the capability for a more
| serious crisis: Russia considers the Ukrainian war to be
| extremely serious.)
|
| Sufficiently well-funded organizations with sufficiently
| competent security experts can create and maintain a
| software-based system that is central to the
| organization's process for delivering on the
| organization's mission such that not even well-funded
| expert adversaries can use vulnerabilities in that system
| to prevent the organization from delivering on its
| mission.
| lazide wrote:
| 'Secure' == unable to be compromised.
|
| You seem to be saying 'secure' == 'compromises are able
| to be fixed'.
|
| Which doesn't fit any definition of secure I'm aware of.
|
| Every one of those things you mention has been
| compromised, and then fixed, at various times. Depending
| on specific definitions of course.
|
| And that is what we see publicly. Typically figure on an
| order of magnitude more 'stealth' compromises.
|
| For a compromise to be fixed, someone has to _notice it_.
| Exposing machines to the Internet increases attack
| surface dramatically. Allowing machines to talk to the
| Internet unmonitored and unrestricted increases their
| value to attackers dramatically.
|
| Without careful monitoring, many of the resulting
| compromises will go undetected. And hence unfixed.
|
| [https://www.cvedetails.com/vulnerability-
| list/vendor_id-1902...]
|
| [https://www.cvedetails.com/product/47/Linux-Linux-
| Kernel.htm...]
|
| [https://purplesec.us/security-insights/space-x-starlink-
| dish...]
|
| [https://www.pcmag.com/news/account-hacking-over-
| starlink-spa...]
| hollerith wrote:
| You made a universal statement, namely, "there is no
| secure software".
|
| If you had written, "99% of software used in anger is
| insecure," or, "most leaders of most organizations don't
| realize how insecure the software is that their
| organizations depend on," or, "most exploits go
| undetected", I would not have objected.
| lazide wrote:
| That is quite explicitly not what I wrote. You might want
| to re-read my comment.
|
| My point not only stands, but is reinforced by your
| comments.
|
| If software is eventually compromised, it was not secure.
| I have yet to see any software that does not eventually
| get compromised when it gets enough exposure.
|
| That those compromises can get fixed after the fact
| doesn't change that.
|
| And ignoring the explicit cases where your examples were
| disproven doesn't help your case either.
| hollerith wrote:
| I find it obnoxious to correspond with you.
| kjkjadksj wrote:
| Is that impression not accurate? Everything is possible
| to exploit imo. Its why the us government spends a
| mountain on cyber defense and offense.
| oopsallmagic wrote:
| Better pack it in then, y'all, we're done writing
| software. If it can't be absolutely 100% perfect all the
| time, then why even bother?
| oopsallmagic wrote:
| Then why bother? I'm sorry, but where did this meek,
| defeatist attitude come from? It pervades software now.
| Sure, you're right, I guess I could get hit by a bus
| today, but that won't stop me from crossing the street,
| because there are a lot of things I can do to minimize my
| risk, like looking both ways, listening, and crossing at
| a signal. Software is similar. "Nothing means anything,
| all is chaos" might poll well on Reddit, but it's not
| good engineering.
| kloop wrote:
| > Then why bother?
|
| Because software is fun, and I get to work with cool
| things. There is a joy in programming in and of itself.
|
| I guess your question doesn't make sense to me. Just
| because it will eventually be broken, does that
| automatically mean there's no value in software? I don't
| think that's true, it just probably means you should have
| an analog backup process if possible, especially for
| critical things like government services.
| lazide wrote:
| Who says it's defeatist? It's realism. You might as well
| say noting mild steel only has a 60-80kpsi yield strength
| 'defeatist'.
|
| That attitude allows practical risk management and
| effective engineering. Pretending software can be secure
| or mild steel has infinite yield strength cannot.
|
| There is no lock that can't be picked either, which is
| why no one leaves millions in cash protected just by a
| lock without guards and a surveillance system. And why
| they insure large amounts of cash.
|
| At this point it should be pretty obvious - don't put
| important secrets on computers without a way to
| expire/revoke them. If it's a secret that can't be
| expired/revoked, think long and hard about if you need it
| on a computer - and if you do, use a SCIF.
|
| Monitor any connected computer systems for compromise.
| Use encryption extensively, preferably with hardware
| protection, because software is insecure, etc.
|
| Same with controlling dangerous equipment - don't rely on
| pure software or someone will get killed. Use hardware
| interlocks. Use multiple systems with cross checking.
| Don't connect it to the internet. Etc.
|
| This is all industry best practice for decades now.
| wruza wrote:
| But the initial dialog was more like Q:
| this is good steel still, why not use it? A: steel
| is never ideal, that's the problem.
|
| Oh really.
|
| Risk manage us nginx please. At least write out the
| steps, you must have a checklist or something, right?
|
| Let's be honest, we just apt install it and read
| vulnerability reports when they hit /news.
| oopsallmagic wrote:
| Exactly. I don't believe that the argument that some
| software somewhere at some point could have some vague
| security flaw in it is usually good enough to justify not
| running the kinds of software most of us here work on.
| It's solipsistic, and honestly seems a little in bad
| faith.
|
| But it's also moot: if you're that afraid of vague
| security threats, then just don't expose your software to
| the internet. It's not difficult.
| lazide wrote:
| Literally never said that. Speaking of bad faith.
|
| _the whole point in context was that exposing software
| to the internet is high risk, no matter how secure you
| think it is, because no software is truly ever secure
| given enough exposure_.
|
| Talk about exhausting bullshit. But then what to expect
| from a green throw away?
| oopsallmagic wrote:
| > Who said it's defeatist?
|
| Uh, me, I did. I thought I was pretty clear. Please refer
| to my previous comment.
|
| > It's realism.
|
| Okay. How are you going to change your behavior?
|
| I'm not sure what point you're trying to make. If you
| want to put your recipe website behind a SCIF, be my
| guest. Some of us aren't quite so afraid.
| lazide wrote:
| Haha, pot calling kettle black. I don't need to do a damn
| thing different. Cars are still dangerous 100 years after
| they were invented, and the world still turns.
|
| You're the one trying to turn this into some kind of
| existential emergency. What are _you_ going to do
| differently?
| quaintdev wrote:
| Common the web servers like Nginx, Caddy are not secure? If
| they found a zero day in these application whole Internet
| will go up in flames.
| robertlagrant wrote:
| The whole internet keeps patching those flaws as they are
| found. The problem with self-hosting is patching.
| wruza wrote:
| This is a non-problem since the invention of unattended
| updates. This whole subthread spreads uncertainty and
| doubt over simple things like nginx or ssh. Service
| providers don't patch their software by hand either.
|
| 20 years ago, when I was still young and naive, I took
| these concerns way too serious, remapped ports, believed
| in pwn, set up fail2ban and knocking, rotated logs. Later
| I realized it was all just FUD, even back then. You run
| on 22, 80 and 443 like a chad, use pw-based auth if
| you're lazy, ignore login attempts and logs in general
| and never visit a server until it needs reconfiguration.
| Just say f* it. And nothing happens. They just work for
| years, the only difference is you not having tremors
| about it.
|
| The only time a couple of my vpses were pwned in decades
| was a week after I gave a sudoer ssh key to some
| "specialist" that my company decided to offload some
| maintenance to.
|
| What changed from back then is that software became
| easier to set up and config and less likely to do
| something stupid. Even your dog can run a vps with a
| bunch of services now.
| denton-scratch wrote:
| > And nothing happens.
|
| Good luck. Some people have different experiences.
| wruza wrote:
| Some people install every php plugin they can find.
| Recently I gave my coworker an access to a gui server and
| next day he complained he can't install some chinese
| malbloatadware on it. People have different experiences
| due to different paradigms. My message is about not being
| anxious, not about being clueless.
|
| With opensource and how code works in general, we are all
| in the same boat with bigcorps and megacorps. And they
| receive the same updates at the same rate (maybe minutes
| faster cause they host repos).
|
| This quote, "you can't be certain the software you use is
| secure", is technically true but is similar to the "you
| can't be certain you won't die buying groceries".
| Perfectly useless fearoid for your daily life.
| tjoff wrote:
| I get what you are saying, and if anything all the
| "attacks" in the logs should build you some confidence.
| Oh, so 98% of all attacks assume I haven't changed the
| root password? I must be ahead in the game then.
|
| But the way you phrase it isn't really convincing, and
| for singling out 443 and 80 ports. As the subthread of
| breaches hint towards. You might not need to be worried
| about nginx, but whatever you host on nginx might be a
| problem and being "certain the software you use is
| secure" is also pretty darn useless as guidance.
| wruza wrote:
| How do you run software? Or if you are using managed
| hosting or a platform for running software, how exactly
| they solve this "security strictly < 1, have to run
| somehow" dilemma?
| tjoff wrote:
| For systems exposed on the internet? *
| Try to avoid it in the first place. * Do research,
| minimize risk and make whatever compromises you are
| willing/able to make * Isolate it * Maintain,
| update and monitor it
|
| At no point am I certain the software is secure.
| wruza wrote:
| You seem to include some absolute security, which is
| obviously nonexistent in this world (p!=0 for any event
| according to some models), into your internet exposure
| formula, when "minimize risk, make whatever compromises,
| update" is sufficient (to me) and everything above that
| is just worrying too much without having control. I think
| that's where we fundamentally disagree.
| tjoff wrote:
| I really don't.
|
| Be aware of your threat model and the risks associated.
| ricardo81 wrote:
| >pw-based auth
|
| better off using key only logins and forgetting IMO
| mr_mitm wrote:
| Even OpenSSH almost got a fatal backdoor recently.
| moffkalast wrote:
| Haveibeenpwned paints a pretty good picture. Breaches,
| breaches everywhere. The average piece of software cannot be
| trusted with keeping any data secure for any notable amount
| of time.
|
| It's funny that password managers and random generated single
| use passwords are so popular now, because the greatest risk
| to one's credentials isn't direct attacks, but having them
| leaked by someone's half assed backend. It gets even funnier
| when the service that gets breached has some arcane password
| security rules with two symbols or whatever, the ultimate
| hypocrisy.
| otherme123 wrote:
| Almost all stories you read about data leaks are some
| variation of "I installed XXX database and forgot to limit
| access" or even "and I wrongly supposed it wasn't listening
| to an internet exposed port". Breaches are just queries.
| withinboredom wrote:
| A "breach" usually means they got access to the database,
| which is much different to access to the underlying server.
| We aren't talking about databases, we are talking about
| servers.
| moffkalast wrote:
| It really depends on the architecture. At least I think
| it's fairly common for people to have some sort of
| database proxy running beside the static serve, so there
| isn't any direct public access and to do some caching,
| but once you're there it should be pretty wide open.
| oopsallmagic wrote:
| To be blunt, those breaches are the result of software
| written by people I wouldn't trust to bag my groceries.
| I've never had a database get leaked, because I'm not a
| hack, and I know how to do the bare minimum above
| professional negligence to secure internet-facing services.
| I wish I could say the same about most of the industry.
| dotancohen wrote:
| > if you are certain the software you use is secure
|
| This is the problem right here. You can be certain that the
| software you use has security issues.
| danielovichdk wrote:
| Sure. And so what ? Should I stop using it ?
| lofaszvanitt wrote:
| And who will fire a 10k+ exploit on your server? So you could
| record it and resell? In the early days, surfing shady sites
| with Internet Explorer, you could net a lot of interesting js
| that exploited the browser.
| dotancohen wrote:
| My server is an attack vector for my 10k+ users, and all
| their contacts. A 1% ransomware infection rate could net
| them $1 million USD worst case, and potentially an order of
| magnitude more if one of my users is browsing from a work
| machine in their network.
|
| Don't underestimate the security value of people hitting
| your servers, even if all you think you're serving is
| emojis.
| lofaszvanitt wrote:
| I'm not underestimating. All I'm saying if someone pays
| 10k or more for an exploit against ssh/nginx/whatever,
| nobody is gonna pepper your server with it. They will
| sell it to a broker and pocket the money, end of story.
|
| You will be targeted if your server seems to be the
| lowest hanging fruit or most easily exploitable or the
| target is most easily reachable through your site.
| Otherwise noone will bother with your setup.
| elintknower wrote:
| Yeah, this is also a huge concern of mine. There's also
| nearly no standardization / information as to how to
| harden just a bit more than is commonly suggested by web
| devs / bad tutorial sites.
| input_sh wrote:
| The question isn't does the software I run have some sort of
| yet-undetected security issues, but am I a valuable enough of
| a target for someone to waste their yet-undetected exploits
| specifically targeting me?
|
| If the answer's no, then your only job is to keep up with
| software updates.
| lazide wrote:
| If you're exposing your software to the external internet,
| you're potentially valuable enough to get a drive by.
| input_sh wrote:
| Assuming your software is fairly up to date and/or you
| haven't badly misconfigured it, they're not gonna do
| anything. There are a ton of routers and IoT devices that
| are a much easier catch than a machine run by someone
| that actually gave a thought or two about securing their
| server.
| e12e wrote:
| This seem hopelessly naive just after the windows php bug bit?
|
| https://arstechnica.com/security/2024/06/thousands-of-server...
| ibbtown wrote:
| Had a own server in university during mY PhD. Most request were
| trying to download scientific papers from large journals using
| absolute and not relative URLs after request.
| kristopolous wrote:
| in the early 2000s I kept an anonymous ftp server open and would
| routinely get the latest cracked software delivered right to my
| hard drive. It was very convenient.
| sattoshi wrote:
| Cracked software can contain extra features. Especially when
| delivered in this way.
| seanthemon wrote:
| Ooo like that awesome techno music on startup, or maybe bee
| movie during install
| Etheryte wrote:
| I like the idea that someone embedded an entire movie as a
| malicious payload in an installer.
| seanthemon wrote:
| I'm sold, send me the link
| input_sh wrote:
| In the early 2000s it was pretty much expected that each and
| every computer you encounter is full of viruses. That is,
| viruses on top of viruses that come by default from everyone
| running a cracked version of Windows XP.
| welder wrote:
| Most people on here didn't use Windows in the early 2000s,
| or ever.
| lofaszvanitt wrote:
| Oh, when you needed specific ftp clients, because most of them
| couldn't handle special characters needed to access the
| directory containing the LOOT :D.
| cranberryturkey wrote:
| serv-u and cuteftp baby!
| throw_m239339 wrote:
| "H2O, try before you buy..."
| agilob wrote:
| There's a project for running Honeypot as a Service:
| https://haas.nic.cz The data is public and you can register your
| router too
| ProllyInfamous wrote:
| I somehow found myself in charge of a computer lab two decades
| ago... and idiotically set up admin controls via SSH.
|
| The entire lab was down for almost a week [immediately hacked],
| and then I suddenly moved a few states away.
| BLKNSLVR wrote:
| I self-host a (non-critical) mail server and a few other things
| and occasionally look at live firewall logs, seeing the constant
| flow of illegitimate traffic hitting random ports all over the
| place, some hitting legitimate service ports but others just
| probing basically anything and everything. I decided to setup a
| series of scripts that detect activity on ports that aren't open
| (and therefore there's no legitimate reason for the traffic to
| exist) and block those IP addresses from the service ports since
| the traffic source isn't to be trusted.
|
| Something that came out of analysis of the blocked IP addresses
| was that I discovered a few untrustworthy /24 networks belonging
| to a bunch of "internet security companies" whose core business
| seems to depend on flooding the entire IPv4 space with daily
| scans. Blocking these Internet scanner networks significantly
| reduced the uninvited activity on my open service ports. And by
| significantly I mean easily over 50% of unwanted traffic is
| blocked.
|
| Network lists and various scripts to achieve my setup can be
| found here:
| https://github.com/UninvitedActivity/UninvitedActivity
|
| Internet Scanner lists are here:
| https://github.com/UninvitedActivity/UninvitedActivity/tree/...
|
| Large networks that seem responsible for more than their fair
| share of uninvited activity are listed here:
| https://github.com/UninvitedActivity/UninvitedActivity/tree/...
|
| I'm semi-aware of the futility of blocking IP addresses and
| networks. I do believe, however, that it can significantly reduce
| the load on the next layers of security that require computation
| for pattern matching etc.
|
| Be aware: there are footguns to be found here.
| k8sToGo wrote:
| Have you considered using crowdsec?
| BLKNSLVR wrote:
| I set it up in a fairly superficial way, and there are only a
| handful (two or three) rules that can be applied on the free
| tier, and I'm a tight-ass.
|
| It's still running, but it doesn't seem to block much - but
| that might be because I didn't put enough time into "doing it
| properly".
| teruakohatu wrote:
| Are there any downsides to crowdsec?
| snorremd wrote:
| You end up sharing signals (IPs) to their crowd-sourced bad
| IP databases, but only get 3 free IP lists on the free
| plan. To get some of the bigger IP lists you need an
| enterprise plan at $2500 a month.
|
| Essentially they use the free customers to build the lists
| that drive their enterprise sales, which is fair enough as
| you get to use their free dashboard and open source
| software. But to me it seems they're really only targeting
| enterprise customers as a business.
| pgraf wrote:
| Just be aware that with your strategy "blocking 50% of unwanted
| traffic" means blocking non-attack traffic, as these Internet
| security companies are mostly legitimate. The automated attack
| traffic that you actually want to block is in the other half
| and will frequently change IPs.
| BLKNSLVR wrote:
| > these Internet security companies are mostly legitimate
|
| This is both subjective and highly dependent upon the scope
| of services being run. My setup would probably progressively
| create more hassle than it saves as on a scale from small
| business to large business. For the setup I have, I quite
| specifically want to block their traffic.
|
| I'm possibly overly militant about this, but they keep
| databases of the results of their scans, and their business
| is selling this information to ... whoever's buying. I don't
| want my IP addresses, open ports, services or any other
| details they're able to gather to be in these databases over
| which I have no control and didn't authorise.
|
| To steal an oft-used analogy, they're taking snapshots of all
| the houses on all the streets and identifying the doors,
| windows, gates, and having a peek inside, and recording all
| the results in a database.
|
| I believe all of them are illegitimate. They 'do' because
| they can, and it's profitable. "Making the internet safer" is
| not their raison d'etre.
|
| Happy for any else to form their own opinion, but this is my
| current stance.
| appstorelottery wrote:
| Would be cool to have a "don't scan me bro" list of IP's
| that engage in this that we could share - is there such a
| thing?
| BLKNSLVR wrote:
| The problem is that becomes a concentrator of IPs behind
| which privacy conscious individuals exist, which probably
| has higher value to "whoever's buying". It's a conundrum.
| yesbabyyes wrote:
| It sounds like what GP is suggesting is to collect ips of
| all the scanners, and share the list of ips among
| ourselves, so we can collectively route their traffic to
| /dev/null.
| BLKNSLVR wrote:
| aaaaah, that makes sense. See the links in my original
| post.
| kjkjadksj wrote:
| Why not also sell the scans of scanners to the scanners
| customers and make a little pocket change?
| dataflow wrote:
| You're being sarcastic, right? We did this for telephone
| numbers and saw how it turned out...
| zbentley wrote:
| There's a comment downthread discussing something
| similar; I haven't tried it though:
| https://news.ycombinator.com/item?id=40695179
| nubinetwork wrote:
| > these Internet security companies are mostly legitimate
|
| Act like a bot, get treated like a bot.
|
| > Just be aware that with your strategy "blocking 50% of
| unwanted traffic" means blocking non-attack traffic
|
| You don't block them forever, just enough for them to move on
| to someone else.
| slt2021 wrote:
| they dont move on to someone else, they scan entire
| internet on a regular basis, just like gogle crawls web
| pages
| moffkalast wrote:
| Lol legitimate. As legitimate as door to door salesmen. OP
| just put up a proverbial "no soliciting" sign.
| chipdart wrote:
| > (...) as these Internet security companies are mostly
| legitimate.
|
| Note that you're basing your assertion on the motivation of
| random third parties exclusively on the fact that they exist
| and they are behind active searches for vulnerabilities.
| wl wrote:
| My experience is that after blocking Censys, unwanted traffic
| on non-standard ports _from other IP blocks_ has basically
| gone to zero. It appears to me that some bad actors are using
| Censys scans for targeting.
| rolph wrote:
| i get similar results
| cranberryturkey wrote:
| Just install fail2ban.
| WhackyIdeas wrote:
| For SSH, changing to a random port number resulted in zero
| connection attempts from bots for months on end. It seems
| bots just never bother scanning the full 65535 port range.
| dizhn wrote:
| For most of my VMs there's no ssh running. I use wireguard
| to connect to a private IP. I haven't done this on the bare
| metal yet but I might. Though barring exploits like we had
| recently nobody is getting into a server with either strong
| passwords or certificates. Fail2ban in my eyes is a log
| cleaner. It's not useful for much else.
| cranberryturkey wrote:
| it bans the bad ips, isn't that worth running?
| thfuran wrote:
| But what does that actually accomplish?
| speleding wrote:
| A server with fail2ban can be DOSed by sending traffic with
| spoofed IP addresses, making it unavailable to the spoofed IP
| addresses (which could be your IP, or the IP of legitimate
| users).
|
| That is typically a bigger problem than polluting your logs
| with failed login attempts.
| CreatedAccount wrote:
| What would spoofing the IP of a packet when the underlying
| protocol requires a two-way handshake accomplish?
| ajsnigrutin wrote:
| With CGNAT, a prepaid sim card and some effort, you can
| make them block a whole legit ISP in a few days without
| spoofing anything.
| hypeatei wrote:
| fail2ban is another layer which is susceptible to abuse and
| vulnerabilities. It might keep noise out of your logs but at
| a huge cost. I'd rather just change the SSH port to something
| non-standard and write it down.
| gnuser wrote:
| Add it port knocking and this is how I do it. nftables ftw
| nilsherzig wrote:
| Try running some of your blocked ips through greynoise, they
| usually have some interesting information about them
| BLKNSLVR wrote:
| Thanks for the tip. Looks like greynoise use ipinfo.io for IP
| metadata.
|
| I use https://www.abuseipdb.com/ for any manual IP address
| checks, and https://hackertarget.com/as-ip-lookup/ for
| finding what ASN an IP address (range) is a member of. I'll
| check out greynoise and see what extra info may be provided.
| shaky-carrousel wrote:
| Good idea. What I do is, I disallowed password login in my ssh
| server, and I permanently ban whichever address that tries to
| log in using a password.
| BLKNSLVR wrote:
| I use a bastion host on a VPS as the only source IP address
| allowed to ssh into my systems, so any attempts to connect to
| ssh (from any IP address other than the bastion) are both
| blocked and logged into "the list" to be blocked from
| connecting to any other service ports.
| TacticalCoder wrote:
| One thing I do is I blocklist entire countries' and regional
| ISP' CIDR blocks. Believe it or not: straight to firewall DROP.
|
| China, North Korea, so many african countries who's only
| traffic is from scammers, tiny islands in the pacific that are
| used for nothing but scamming...
|
| Straight to DROP.
|
| And I do not care about the whining.
| nequo wrote:
| I assume you don't host anything that could be useful to the
| 1.5 to 2 billion people that you're blocking.
| luma wrote:
| Or they host a business site that doesn't do business in
| those countries and so nothing of value is lost to them.
| For example, it's literally illegal for me to accept
| payments from .ru, so why bother wasting their time and my
| bandwidth?
| ajsnigrutin wrote:
| I live in EU,and a bunch of american sites just block the
| whole EU due to GDPR laws.
|
| Then someone in US uses my email by accident to subscribe
| to some newsletter (not the first time, I also get
| personal emails for that person, since it's just one
| letter difference, and i'm guessing it's someone old,
| considering the emails I get), i try to click
| "unsubscribe", and it just redirects me to "<site> is
| unavailable in EU, blah blah" page, without
| unsubscribing.
|
| I make sure to report that site to every goddamn spam
| list possible.
| rapind wrote:
| IMO replying unsubscribe should always work for marketing
| emails and if it doesn't then I flag the email as spam.
| Nope, I'm not going to visit that tracked / info
| gathering unsubscribe link.
| dheera wrote:
| I only use unsubscribe links from things I voluntarily
| and willingly subscribed to.
|
| If I was _involuntarily_ subscribed to something, or
| subscribed because of an inconspicuous "subscribe me"
| checkbox that I probably didn't notice, including from a
| legit business that I purchased an item, it's getting
| reported as spam in Gmail.
| DEADMINCE wrote:
| > a bunch of american sites just block the whole EU due
| to GDPR laws.
|
| Which is incredibly reasonable. If the EU didn't try to
| claim EU law applies globally, those sites might still be
| up.
| robin_reala wrote:
| The US is just as bad at extraterritorial law, see FATCA
| for just one example.
|
| https://en.wikipedia.org/wiki/Foreign_Account_Tax_Complia
| nce...
| DEADMINCE wrote:
| That situation is quite different. The US is using its
| significant power and weight to coerce those non-US banks
| into compliance with FACTA. Those banks don't _have_ to
| comply, but they want to do business with the US and US
| companies, then they don 't have much of a choice.
|
| It's not like they just made a law and now insisted it
| applies globally, which is what the EU did.
| echoangle wrote:
| Isn't it actually exactly the same? The website doesn't
| have to comply (and many don't), but if they want to do
| business in the EU, they have to. How is that different?
| DEADMINCE wrote:
| No, it's not remotely the same.
|
| The US is using the fact that people want to do business
| with them to coerce compliance, and as written the law
| only applies to US persons.
|
| The EU claims the GDPR applies globally, regardless of if
| people want to do business with the EU, or even if people
| ever set foot in the EU. It's amusing nonsense.
| mratsim wrote:
| Why is it different?
|
| People don't have to comply to GDPR but if they want to
| serve EU folks then they don't have a choice.
| DEADMINCE wrote:
| The EU claims their law applies globally regardless of if
| people set foot in or do business in the EU. According to
| the EU, an EU citizen just needs to visit a site and the
| law applies, regardless of where the site is hosted.
|
| According to the EU, the GDPR applies to some small shop
| owner in China with a website that harvests all data it
| can that isn't advertising in the EU, courting EU
| citizens in any way, has no business with the EU, etc.
| belk wrote:
| it's effectively the same, small banks just shove you out
| of the building and refuse to open a bank account for you
| if FATCA applies to you, their compliance is through just
| not accepting US tax payers.
|
| This is a real issue that leaves US citizens only able to
| open accounts at bigger banks (with shittier services but
| enough budget to hire a FATCA compliance department)
| DEADMINCE wrote:
| > it's effectively the same
|
| Nope. Not even close.
|
| Practically the GDPR law has no teeth at all because its
| claim of extraterritorial jurisdiction is nothing but
| nonsense.
|
| FATCA applies because the US has a carrot or stick to
| enforce it.
|
| Also, the US law as written is entirely reasonable and
| doesn't try to claim the law applies to US citizens
| anywhere in the world.
| shkkmo wrote:
| > US law as written is entirely reasonable and doesn't
| try to claim the law applies to US citizens anywhere in
| the world.
|
| It absolutely does.
|
| The USA has laws that govern what it's own citizens do
| abroad like. You aren't allowed to have sex with minors
| or pay bribes when abroad.
|
| The USA also recently passed a law that allows it to
| prosecute foreign officials who solicit bribes from USA
| entities.
| https://www.ropesgray.com/en/insights/alerts/2023/12/us-
| cong...
| DEADMINCE wrote:
| > It absolutely does.
|
| Absolutely, _absolutely_ , it does not.
|
| The USA law is saying US law applies to US persons
| wherever they may be in the world.
|
| The EU law is saying EU laws applies to ANYONE in the
| world if an EU person interacts with them via the
| internet.
|
| You realize those two things are not the same, right?
| throwawaysm wrote:
| https://en.wikipedia.org/wiki/CLOUD_Act strikes me an
| example
| 3836293648 wrote:
| What? No
|
| Claiming jurisdiction by server location is the stupidest
| thing ever if you trying to have any kind of customer
| protection laws. You have to go by customer location.
|
| However, the claim that they have jurisdiction over EU
| citizens abroad is very questionable.
| DEADMINCE wrote:
| > Claiming jurisdiction by server location is the
| stupidest thing ever if you trying to have any kind of
| customer protection laws. You have to go by customer
| location.
|
| I disagree, because that's _impossible_. That 's why the
| EU's attempt is largely a joke. Literally - it seems to
| get mocked a lot when I tried reading up on the
| credibility and practicality of what they claim.
|
| > However, the claim that they have jurisdiction over EU
| citizens abroad is very questionable.
|
| It's the claim that they have jurisdiction over non-EU
| citizens and businesses in their own countries which is
| so laughable.
| jkaplowitz wrote:
| > Literally - it seems to get mocked a lot when I tried
| reading up on the credibility and practicality of what
| they claim. [...] > It's the claim that they have
| jurisdiction over non-EU citizens and businesses in their
| own countries which is so laughable.
|
| Most of this mockery is based on misunderstandings that
| overgeneralize what the EU is asserting and overlook what
| most other countries assert.
|
| Most countries have some laws that under some
| circumstances purport to apply to foreign non-citizens
| located outside the country, not just the EU.
|
| A key example is defamation law. If you are a Brazilian
| citizen located in Brazil and you specifically target
| publications online to UK or Canadian or US audiences in
| ways that are viewed as defamatory in those
| jurisdictions, you could very well get sued in those
| countries' courts, and there are absolutely cases where
| those courts would uphold their jurisdiction based on the
| specifically targeted publication.
|
| Similarly, when asked to decide if they have jurisdiction
| to enforce local consumer protection law against a
| foreign defendant, the courts in the Canadian province of
| Quebec will consider whether the foreign defendant has
| tried to target Quebec consumers, should know that it has
| ongoing substantial sales to Quebec consumers, et cetera
| - not only whether it has a business establishment in
| Quebec.
|
| Conversely, if you are a hotel in New Hampshire, USA and
| someone located in an EU country visits your US-based
| English-language USD-only hotel website and books a room
| for their upcoming visit, the GDPR probably does not
| apply, since there is no attempt to target the EU. Among
| other exceptions, the conclusion could be different if
| the hotel website allows bookings in EU currencies or
| languages (not counting English and maybe not US/Latin
| American Spanish because of their use in the US), since
| that shows an intention to target EU visitors.
|
| If merely being foreign allowed EU-focused businesses to
| avoid the GDPR, that would be an extremely huge loophole,
| and EU businesses would make deals with those foreign
| businesses to shift as much as possible of their data
| processing stream outside the scope of the GDPR. It would
| pretty much swallow the whole law. It's not a viable
| approach.
|
| Similarly, monitoring the behavior of visitors in the EU
| can also lead to the GDPR applying, since otherwise EU
| businesses would pay foreign businesses to track their
| visitors on their behalf, doing whatever legal ownership
| transfer shenanigans they have to in order to make that
| work. ("Oh no, this is not a European-owned website, it's
| an American website to which we've licensed our brand
| content and which shares 99% of its subscription and ad
| revenue with us as their license fee... they are allowed
| to track you even if we can't...")
|
| Of course, you're quite right if you view it as a
| mockable idea that the EU would be going into foreign
| countries to bust down doors and collect fines from
| foreign businesses. Just as clearly, they aren't
| pretending they can do that.
|
| But if a foreign company does get assessed with a GDPR
| violation fine in the EU, it certainly gets harder for
| them to continue to engage in business dealings with
| anyone in the EU without that fine becoming more possible
| to collect - and in some cases there are established
| mutual legal assistance treaties through which EU
| countries can get foreign countries to help with
| collecting a judgment outside of the EU.
|
| My guess as to why these non-EU companies prefer to block
| the EU instead of comply with the GDPR is simply that
| they don't view the risks of being found in violation as
| worth the benefits of the additional audience - not
| because they would necessarily be found in violation.
| Most of the local news channels would probably not be
| found in violation if they excluded visitors in the EU
| from behavior monitoring, but many of those sites don't
| consider it worthwhile even to take the risk.
| DEADMINCE wrote:
| > Most of this mockery is based on misunderstandings that
| overgeneralize what the EU is asserting and overlook what
| most other countries assert.
|
| I think that mostly assumption. Much of the mockery was
| in legal journals for example - an audience that would be
| more familiar with the ext of the legislation than most.
|
| > Most countries have some laws that under some
| circumstances purport to apply to foreign non-citizens
| located outside the country, not just the EU.
|
| Maybe a few other countries have something in the same
| general category, but none as far reaching as GDPR law
| tries to be. And certainly it's a minority of countries
| that have such laws, not most.
|
| > A key example is defamation law. If you are a Brazilian
| citizen located in Brazil and you specifically target
| publications online to UK or Canadian or US audiences in
| ways that are viewed as defamatory in those
| jurisdictions, you could very well get sued in those
| countries' courts, and there are absolutely cases where
| those courts would uphold their jurisdiction based on the
| specifically targeted publication.
|
| I'm not exactly clear what you are saying here, but in
| any event, at least in any interpretation I can think of,
| the analogy doesn't map. If a UK entity sues a Brazilian
| in a Brazilian court, that's all pretty normal. That's
| just the UK entity doing something they are able to do in
| compatible courts, that's not UK law applying to
| Brazilians.
|
| > Similarly, when asked to decide if they have
| jurisdiction to enforce local consumer protection law
| against a foreign defendant, the courts in the Canadian
| province of Quebec will consider whether the foreign
| defendant has tried to target Quebec consumers, should
| know that it has ongoing substantial sales to Quebec
| consumers, et cetera - not only whether it has a business
| establishment in Quebec.
|
| And how is this relevant? That foreign defendant would be
| present in Quebec to be tried, so it's quite a bit
| different from the EU claiming Joe Schmoe halfway around
| the world who has no interest in the EU or Europe and has
| never been there, is subject to EU law because an EU
| citizen visited their data collecting site.
|
| > Conversely, if you are a hotel in New Hampshire, USA
| and someone located in an EU country visits your US-based
| English-language USD-only hotel website and books a room
| for their upcoming visit, the GDPR probably does not
| apply, since there is no attempt to target the EU.
|
| The attempt to target the EU would be simply be having
| online advertising that would show up in the EU.
|
| > Among other exceptions, the conclusion could be
| different if the hotel website allows bookings in EU
| currencies or languages (not counting English and maybe
| not US/Latin American Spanish because of their use in the
| US), since that shows an intention to target EU visitors.
|
| I don't think this is the actual text of the law. The EU
| claims GDPR applies to a small data collecting site, say,
| in Vietnam, that wants to store and retain and sell all
| the data it can about anyone that visits its site. That's
| what is ridiculous, that's what is incomparable to
| anything else you have listed.
|
| But in any event, let's say that is the law. Let's say
| this site in my Vietnamese example goes out of it's way
| to target the EU, having French and Spanish as default
| languages, having language flags for every EU country,
| and paying for advertisements (but only on US sites with
| US companies, lets say, just to reinforce the point that
| no business has been done in the EU) - well, in that
| case, it's still bonkers that the EU thinks they have any
| jurisdiction over the operator of that site.
|
| The ONLY thing they can do is firewall it off, like China
| does. That's it. Claiming to have global jurisdiction as
| they do just makes them look foolish.
|
| > If merely being foreign allowed EU-focused businesses
| to avoid the GDPR, that would be an extremely huge
| loophole,
|
| This is already reality, though. Any business in the
| world can court EU consumers, and only the EU can prevent
| that by further policing its citizens. They are powerless
| to stop foreign businesses any other way since they only
| have jurisdiction in their own borders...yet they claim
| the opposite.
|
| > Of course, you're quite right if you view it as a
| mockable idea that the EU would be going into foreign
| countries to bust down doors and collect fines from
| foreign businesses. Just as clearly, they aren't
| pretending they can do that.
|
| It's mockable that they claim they have any jurisdiction
| outside their borders in the contexts they do, period.
|
| > But if a foreign company does get assessed with a GDPR
| violation fine in the EU, it certainly gets harder for
| them to continue to engage in business dealings with
| anyone in the EU without that fine more becoming possible
| to collect - and in some cases there are established
| mutual legal assistance treaties through which EU
| countries can get foreign countries to help with
| collecting a judgment outside of the EU.
|
| There is absolutely no instance of a foreign court
| upholding a GDPR fine and I don't expect there ever will
| be, nor is there any treaty that would allow for that as
| far as I know. If you know otherwise and could name such
| a treaty I would appreciate it.
|
| The only thing the EU can do is get a judgement against
| that person or company and arrest people if they enter
| the EU, firewall off hosts, or police and punish its own
| citizens.
| jkaplowitz wrote:
| > I think that mostly assumption. Much of the mockery was
| in legal journals for example - an audience that would be
| more familiar with the ext of the legislation than most.
|
| There's lots of bullshit in legal journals too, partly
| due to how most of those journals are student-reviewed
| rather than peer-reviewed, and partly due to how
| politicized the legal academy is. Care to provide a cite?
|
| > I'm not exactly clear what you are saying here, but in
| any event, at least in any interpretation I can think of,
| the analogy doesn't map. If a UK entity sues a Brazilian
| in a Brazilian court, that's all pretty normal. That's
| just the UK entity doing something they are able to do in
| compatible courts, that's not UK law applying to
| Brazilians.
|
| No, I'm saying that a UK entity can sue a Brazilian for
| defamation in UK court, not Brazilian court, and win
| jurisdictional arguments in the UK court based on the
| Brazilian's publications being targeted to the UK - even
| if the Brazilian has never been to the UK. And all of
| this would be based on UK law, not Brazilian law.
|
| > And how is this relevant? That foreign defendant would
| be present in Quebec to be tried,
|
| I said nothing about the foreign defendant being present
| in Quebec, no. Everything I said applies even when that
| is not true.
|
| > so it's quite a bit different from the EU claiming Joe
| Schmoe halfway around the world who has no interest in
| the EU or Europe and has never been there, is subject to
| EU law because an EU citizen visited their data
| collecting site. > [...] > The attempt to target the EU
| would be simply be having online advertising that would
| show up in the EU.
|
| This is among the common global misinformation about the
| GDPR that does not reflect the EU's actual legislation or
| their actual guidance about the GDPR. Read Article 3 of
| the GDPR or Recitals 23 and 24 of the official guidance
| about it.
|
| https://gdpr-info.eu/art-3-gdpr/
|
| https://gdpr-info.eu/recitals/no-23/
|
| https://gdpr-info.eu/recitals/no-24/
|
| (Note, that website is not an official source, but it's a
| more convenient way for me to link to the relevant
| sections than the official sources.)
|
| Merely not blocking online advertising from showing up in
| the EU does not cause GDPR to apply. Nor does merely
| receiving a visit from an EU citizen.
|
| However, monitoring behavior by visitors where that
| behavior occurs in the EU does. So if a website's
| preferred online advertising model depends on monitoring
| the behavior of their visitors and they don't want to
| make an exception to that for visitors in the EU, that's
| the source of the GDPR applicability - not the online
| advertising itself.
|
| And I already explained why this is necessary to avoid a
| huge truck-sized loophole.
|
| > I don't think this is the actual text of the law. The
| EU claims GDPR applies to a small data collecting site,
| say, in Vietnam, that wants to store and retain and sell
| all the data it can about anyone that visits its site.
| That's what is ridiculous, that's what is incomparable to
| anything else you have listed.
|
| Again, read Article 3 of the GDPR and Recitals 23 and 24
| of the official guidance. The EU does not claim the GDPR
| applies there.
|
| > But in any event, let's say that is the law. Let's say
| this site in my Vietnamese example goes out of it's way
| to target the EU, having French and Spanish as default
| languages, having language flags for every EU country,
| and paying for advertisements (but only on US sites with
| US companies, lets say, just to reinforce the point that
| no business has been done in the EU) - well, in that
| case, it's still bonkers that the EU thinks they have any
| jurisdiction over the operator of that site.
|
| You would be amazed at how many countries would apply
| their jurisdiction to foreigners with respect to how many
| laws in this kind of scenario. People have been persuaded
| otherwise by anti-GDPR propaganda by the industries that
| depend on routinely violating the GDPR, but it's really
| true.
|
| In particular, look at this summary on Wikipedia of
| personal jurisdiction in Internet cases in the United
| States:
|
| https://en.wikipedia.org/wiki/Personal_jurisdiction_in_In
| ter...
|
| Many, many, many of those scenarios can happen when the
| out-of-state website operator has never been to the US
| and is not a US citizen or company. The phrase "purposely
| availed itself" in that US jurisprudence is very similar
| to what I was calling targeting the EU in my previous
| comments.
|
| More information on the underlying principles and laws,
| again from the US perspective:
|
| https://en.wikipedia.org/wiki/Minimum_contacts
|
| https://en.wikipedia.org/wiki/Long-arm_jurisdiction
|
| > The ONLY thing they can do is firewall it off, like
| China does. That's it. Claiming to have global
| jurisdiction as they do just makes them look foolish.
|
| They claim just as much jurisdiction as most countries do
| - but most countries don't have privacy laws like the
| GDPR, so the industries who are crying about the GDPR
| aren't crying about most other examples.
|
| > There is absolutely no instance of a foreign court
| upholding a GDPR fine and I don't expect there ever will
| be, nor is there any treaty that would allow for that as
| far as I know. If you know otherwise and could name such
| a treaty I would appreciate it.
|
| Small correction to my previous comment: while there are
| indeed some multilateral treaties about the recognition
| of foreign judgments such as can happen for unpaid GDPR
| fines, you're right that the US isn't part of those
| treaties.
|
| However, US state laws do allow recognition of many
| foreign judgments, with the details varying widely. There
| is a federal law which prohibits US enforcement of
| foreign libel judgments that would violate the First
| Amendment if they had been from a US court, but there is
| no federal law restricting states from recognizing most
| other foreign judgments they might choose to recognize.
| And again, in many cases states do so choose.
|
| I would be quite surprised if all US states would never
| enforce a court judgment from an EU country resulting
| from a GDPR violation. Said differently, I expect that at
| least some US states would enforce such a judgment under
| at least some facts and circumstances.
|
| > The only thing the EU can do is get a judgement against
| that person or company and arrest people if they enter
| the EU, firewall off hosts, or police and punish its own
| citizens.
|
| Even when the company has no assets in a jurisdiction
| that allows recognition of EU judgments resulting from
| GDPR violations, they can also seize movements of money
| or goods into or out of the EU which belong to the
| company that isn't paying the judgment.
|
| Anyway, "police and punish its own citizens" isn't the
| scenario being discussed here - nobody violates the GDPR
| by accessing or using a website that violates the GDPR.
| The violation is the website's alone.
| jkaplowitz wrote:
| > However, the claim that they have jurisdiction over EU
| citizens abroad is very questionable.
|
| The GDPR makes no jurisdictional claims at all based on
| citizenship, despite a lot of inaccurate summaries saying
| otherwise. For those cases where the GDPR cares about
| individuals being EU or non-EU, it only cares about their
| location, not about their citizenship / nationality or
| their residence.
| arp242 wrote:
| > If the EU didn't try to claim EU law applies globally,
| those sites might still be up.
|
| It doesn't; it applies to EU residents. Your non-EU
| business is free to do whatever it wants, but as soon as
| you do business with EU residents EU law applies.
|
| This is more or less how it works everywhere (with some
| exceptions).
|
| And deciding not to do business with EU residents (i.e.
| block in EU) is of course perfectly valid and reasonable
| choice. But not because "EU laws apply globally".
| DEADMINCE wrote:
| > It doesn't; it applies to EU residents. Your non-EU
| business is free to do whatever it wants, but as soon as
| you do business with EU residents EU law applies.
|
| See, you say it only applies to EU residents, but that
| isn't the case.
|
| The real issue is where you say _but as soon as you do
| business with EU residents EU law applies._ , and, well,
| that's just nonsense.
|
| I have a US site. I can operate my business any way I
| like as long as I don't break any Federal or State laws,
| and I can break every single EU law that doesn't have an
| equivalent US law.
|
| The EU can't touch me. EU law doesn't apply to me, even
| if I advertise the hell out of my site to try and attract
| as many EU citizens as possible.
|
| All the Eu can do is firewall me off, prosecute me if I
| come to the Eu and police or punish its citizens.
|
| > This is more or less how it works everywhere (with some
| exceptions).
|
| It's really not. The EUs claim of global jurisdiction is
| unique and a first. There may have been loosely similar
| things, but nothing quite like this.
|
| > But not because "EU laws apply globally".
|
| You should inform the EU they should correct their
| legislation then.
| ajsnigrutin wrote:
| Sure, but if some Little Whinging news from North Arizona
| (fictional newssite) starts spamming me, because some
| grandma there can't remember his email address, and won't
| let me unsubscribe, I'll do everything I can do within my
| five minutes of anger to make them rethink.
| tiahura wrote:
| The Biden administration needs to explain why they allow ISPs
| to import data from these countries.
| hahajk wrote:
| I'm not sure I understand what you're suggesting. Are you
| saying that the US govt should make it illegal for people
| in its borders to communicate with people in those
| countries?
| ajsnigrutin wrote:
| Personal page.. sure.
|
| Business? You're a pain to many people and don't care.
|
| I live in EU and many US pages just block the whole EU due to
| GDPR laws... then someone (by mistake) subscribes me to their
| newsletter, and the "unsubscribe" links leads to "this page
| is unavalable in EU"? I'll goddamn make sure your domain ends
| up on every goddamn possible antispam filter I can find.
| cdelsolar wrote:
| Why? Are they spam pages?
| ajsnigrutin wrote:
| For me? Sure. I never subscribed to them. Ans the
| unsubscribe links doesn't work, probably illegal,
| although not sure if they can spam an EU citizen from
| usa, and which/whose/what law are they breaking.
| DEADMINCE wrote:
| > I'll goddamn make sure your domain ends up on every
| goddamn possible antispam filter I can find.
|
| Honestly, individuals can't really do much to change the
| reputation of a domain.
|
| Maybe petition your representative to adjust the GDPR so
| they don't claim it applies globally?
| jkaplowitz wrote:
| That's often worth an FTC complaint for a CAN-SPAM Act
| violation: https://www.ftc.gov/business-
| guidance/resources/can-spam-act...
|
| The FTC wouldn't accept "we didn't want to deal with GDPR"
| as an excuse for a business violating that law.
| DEADMINCE wrote:
| That's very computationally inefficient.
| aforwardslash wrote:
| You can trivially maintain a list of the size of the whole
| ipv4 space by using bitmaps
| TacticalCoder wrote:
| > That's very computationally inefficient.
|
| It's O(1) with iptables/nftables ipsets. Moreover as I
| blocklist entire CIDR blocks, there aren't that many
| entries in those ipsets.
| mmsc wrote:
| Had a travel insurance do this and when I was in hospital in
| Asia I couldn't start a claim and the hospital nearly kicked
| me out. I'm sure the sysadmins thought it was a great way to
| reduce hacking attempts by blocking Asia.
| boredtofears wrote:
| That's awful but why is the onus on random sys admins
| around the world to deal with this correctly and not the
| government hosting the problem entities?
| belk wrote:
| That's like asking why don't we expect burglars to not
| burgle, they won't, but that doesn't mean walling off a
| whole neighborhood is the solution either.
| AJayWalker wrote:
| I would say because it's their job to serve their
| customers, even if they're abroad? Especially for a
| travel insurance company.
| kjkjadksj wrote:
| Government needs lobbying to act
| krsdcbl wrote:
| if the government in question is supportive of said
| problem entities, they won't "deal" with it
|
| If the government in question has free reign on
| regulating said traffic, it's an avenue for repressions
| and censorship
|
| Otherwise it's a legal matter to seek action against such
| entities, which is already how it works
|
| (... but I'm afraid we're actually mostly talking about
| "scenario 1 entities" here, which makes it futile to seek
| action from the very offices that already play a role in
| making it harder to use existing legal means)
| bobthepanda wrote:
| And it's not like we will invade countries to stop spam
| calls, although China is probably the closest to getting
| to that stage given that the scam centers in Myanmar seem
| to be a deciding factor in who they throw their support
| behind:
| https://www.theguardian.com/world/2024/jan/31/myanmar-
| hands-...
| O5vYtytb wrote:
| That's so remarkably stupid for _travel_ insurance, it 's
| unbelievable.
| mmsc wrote:
| I wrote a cynical take on "how it happened" at the time:
| https://joshua.hu/losing-sight-vision-mission-of-your-
| role
|
| I think it comes from the divorce of what people are
| hired to do versus what their work actually contributes
| to. I also remember the countless cloudflare turnstiles
| that I've had to get through one way or another on
| airlines' websites which reset every minute (looking at
| you, airserbia, for being the worst).
| dahart wrote:
| If there's one single business that I might expect to honor
| traffic from foreign countries, it would be the travel
| industry. I can suddenly envision using a VPN to route
| through Asia and check a travel agent's site access before
| purchasing.
| lopkeny12ko wrote:
| Ironic that GP commenter said "I do not care about the
| whining" about regional IP blocks and the first reply is
| just someone whining about it.
| grishka wrote:
| As a Russian, I hate it when people do this. It's extremely
| annoying when you just click some random interesting-looking
| link from HN or Reddit or Twitter only to be greeted by a 403
| or a connection timeout. Then you turn your VPN on, and
| _magically_ , it loads just fine.
| mistrial9 wrote:
| people here are not thinking in whole systems-- roads have
| dual purpose.. there is security AND there is trade .. a
| world without trade is a poor world.. that includes the
| intellectual arts, civilian institutions cooperating,
| common issues like Climate.
|
| The voices here that say "I block everyone, don't bother me
| with your whining" .. it is a security practice.. OK.
| security is not the whole story of civilizations; obstinate
| thinking leads to ignorance, not evolution.
|
| The topic is SSH, an administrative and secured access. Yes
| security applies. to be on-topic
| grishka wrote:
| Of course one can obfuscate and secure their own SSH
| access as much or as little as they want. Run sshd on a
| different port, require port knocking, ban IPs after
| failed login attempts, all that kind of stuff.
|
| I'm, however, specifically talking about public-facing
| services like HTTP(S), which also get blocked with this
| "I'll just indiscriminately blacklist IPs belonging to
| countries I don't like" approach.
| phsau wrote:
| Malicious traffic is not limited to ssh and comes from
| the same usual suspects. Automated attacks against web
| applications is constant. I wouldn't say it's
| indiscriminate, it's practical.
| __turbobrew__ wrote:
| For many services, the expected value of letting people
| from Russia access their service is negative. The reality
| is that Russia contributes a large portion of hacking
| attempts while providing very little to no revenue for the
| service. At the end of the day it is just business, and
| sometimes letting countries access your service is bad for
| the bottom line.
| NicoJuicy wrote:
| Had a reddit clone. The amount of Russian spam coming in
| was nuts.
|
| Blocking the ru language blocked all spam. And since it
| didn't have Russian users, it was an easy choice to make.
| snapplebobapple wrote:
| Your annoyance is a feature, not a bug. You are supposed to
| get annoyed enough as a group to lobby your government to
| fight the internal problem
| nullifidian wrote:
| Ah, yes, the remaining English speakers in Russia will
| overthrow the literal millions of the silovik class whose
| entire job is to repress (with violence) any independent
| political activity. There is no "lobbying" in Russia, if
| you didn't know.
|
| If you hate all Russians just say you hate all Russians.
| No need for this "lobby your government" euphemistic BS.
| sqeaky wrote:
| We in the west can't change your government to ban
| hacking requests.
|
| We can block whole countries and make a practical
| reduction in hacks. Sorry that you got caught in the
| middle and feel you have no options.
|
| Maybe someone who does have options and makes their money
| from non-hacking will be inconvenienced and ask for
| change instead.
| wredcoll wrote:
| So political change in russia is literally impossible and
| everything will be exactly the same 50 years from now?
|
| Obviously not. Is such change easy? Again, obviously not,
| but the only way countries change is their own citizens
| wanting to make the change.
| grishka wrote:
| Oh we do want to make this change. Desperately. The only
| _minor_ issue with that is that we lack any means to do
| so. I 'll be sure to do my part as soon as the window of
| opportunity opens.
| firesteelrain wrote:
| Sure hope your govt is not monitoring your posts
| nullifidian wrote:
| >So political change in russia is literally impossible
|
| Precisely. It's basically impossible. There has to be at
| least be a generational change, or a severe economic /
| military loss if we are talking about this decade, but
| even that isn't a guarantee since the system is
| perpetuating itself with force, with economic self-
| interest to continue doing so. Isolating Russian citizens
| from western sources of information (in addition to what
| the Russian government is already doing by itself) is not
| only not helping, it's counterproductive, since rejection
| engenders a rejection in return, lowering the probability
| that an inflection point in the Russian history would
| result in anything western.
|
| >countries change
|
| Authoritarian countries change when their enforcement
| class relaxes and loses control. It takes decades for it
| to occur. If there is no relaxation, then no change
| occurs, as demonstrated by numerous countries, not only
| Russia. Right now the control and propaganda are very
| tight. "Wanting to make change" publicly is literally a
| life-threatening activity.
| grishka wrote:
| You're very naive to assume that this government takes
| any feedback.
|
| I'll just leave this thread here: https://twitter.com/Iri
| neKuklina/status/1578339408801304580
| snapplebobapple wrote:
| you are naive to think whether your government takes
| feedback is relevant or not (or that I was specifically
| talking about Russia, That is just one of many countries
| with shitty internet crime prevention that are routinely
| blocked and each of those shite countries have varying
| levels of shite leadership with varying levels of
| responsiveness).
| type0 wrote:
| oh but it does, you can submit it directly to
| Roskomnadzor so it can cooperate with said hackers and
| then GRU might even hire them directly /s
| tomxor wrote:
| > and block those IP addresses from the service ports since the
| traffic source isn't to be trusted
|
| Don't get me wrong, I want to do the same, I run a lot of
| servers and see all the automated nonsense aimed at public
| servers. However, you should consider the fact that today
| blocking an IP is akin to blocking a street, a village or
| sometimes even a town. For ~better or~ worse we now live in the
| age of CGNAT.
|
| If your threat model and use case means you only care about a
| known subset of users with static IPs who are lucky enough to
| not share IPs then fair enough; but if you are running services
| intended for wide spread consumption you are likely blocking
| legitimate users without even knowing it.
| Bengalilol wrote:
| I was about to say out loud that it was a (kind of) relief not
| finding Google in your lists, then I found
| https://github.com/UninvitedActivity/UninvitedActivity/blob/...
| BLKNSLVR wrote:
| I need to check my exact configuration, but whilst I've got
| 1e100 in a list, I think I've got an exception for it
| elsewhere.
|
| Ie. Whilst it's been detected as uninvited activity, it
| causes issues when blocked, so it's excluded from the
| blocking.
| mtekman wrote:
| I have a utility that parses ssh failed attempts and creates
| iptables blocklists:
|
| https://gitlab.com/mtekman/iptables-autobanner
|
| For those just wanting the blocklist, here is a table of
| malicious IP addresses, with columns of: address, number of ports
| tried, number of usernames tried.
|
| https://upaste.de/bgC
| securethrowaway wrote:
| I simply run fail2ban with a whole bunch of customer filters
| that will ban people very quickly. There's no need to request
| php or malformed urls when php is not used for example.
| mtekman wrote:
| I used to run fail2ban, but I found it (or at least its
| defaults) ineffective against discouraging further requests.
| With iptables, you can specify the connection to hang for a
| period and then drop
| justsomehnguy wrote:
| Defaults are set to reject. Just configure the jails or a
| global config.
| eps wrote:
| upaste link is 404
| miah_ wrote:
| A iptables hashlimit rule can do the same. Your firewall rules
| get to be more readable and you don't end up relying on the
| security of a log parser.
|
| The biggest win comes from just disabling password
| authentication in sshd though.
| sambazi wrote:
| a lot of ppl thought this would be a good idea at some point
| Phelinofist wrote:
| I run endlessh, I always giggle when I see some connection that
| last for 2d
| Tiberium wrote:
| Interesting article, sadly due to my exposure to LLMs I couldn't
| help but notice that the parts about "oinasf" and sakura.sh are
| AI-edited at least. Kind of a weird choice considering that a lot
| of the article was clearly human-written.
| laktak wrote:
| What does `echo -e "\x6F\x6B"` do?
| ggambetta wrote:
| If you say it 3 times in front of a mirror, it summons Stallman
| moffkalast wrote:
| With or without the swords?
| withinboredom wrote:
| Only one way to find out!
| pompompurin wrote:
| Haha
| ynoxinul wrote:
| This look like a simple test to see if remote command execution
| works.
| Mxrtxn wrote:
| Prints out `ok`
| zh3 wrote:
| It prints "ok" and shows they got in (it relies just on a
| shell, nothing else).
| lucianbr wrote:
| Why not do 'echo "ok"'?
| kynetic wrote:
| As shown by someone having to ask what it does, it obscures
| what it does.
| lucianbr wrote:
| Doesn't seem terribly useful. I mean it only obscures
| that it prints "ok". If you're looking at the logs, you
| probably already figured out someone is attacking you,
| and if you didn't, seeing "echo ok" will not help you
| figure it out.
|
| If the only thing the command does is "obscure what it
| does", then the only thing it obscures is "obscure what
| it does". I guess there's no requirement that whoever
| writes these scripts is a genuis.
| Retr0id wrote:
| People writing malware generally _don 't_ want to deploy
| it on honeypots, because then they're handing their
| payload (and other tradecraft) directly to analysts.
|
| So often the first stage is an attempt at honeypot
| detection, or more broadly, device fingerprinting.
|
| A _bad_ honeypot might not even run a real /bin/sh, and
| this detects that right off the bat.
| spc476 wrote:
| It echos "ok".
| raverbashing wrote:
| Maybe I should create a honeypot where cat, echo, sed, and
| curl/wget all drop random bytes in all commands they execute
|
| Would be fun
| thesnide wrote:
| Better would be to just subtly change the output...
|
| Like do a +1 on the byte every 7 bytes. Bonus to do it only
| on every 7 printable chars.
|
| And you can even do A/B testing on the constant 7.
| gpvos wrote:
| Tests whether `echo` supports the `-e` option.
| noduerme wrote:
| Good grief. A couple days ago I re-enabled password logins on a
| server that normally only accepts private keys, just to check
| something from a third location, and then forgot to turn it off.
| Two days later the server's logs were full of thousands of failed
| login attempts that started a few hours after I enabled passwords
| and then ramped up to dozens per minute.
|
| Just because it didn't instantly say "Goodbye".
|
| I checked ip locations on the biggest offensing addresses; all
| were in China.
|
| I don't know what to call the idiocy and amorality that leads
| people to scan port 22 for a living (or the stupidity that leads
| them to guess random passwords for random usernames that don't
| exist), but I suppose that for every gardener there are a billion
| ants.
| p_l wrote:
| There's a cottage industry of shitty mass-scanning attacks that
| continue onto getting root on badly setup fresh installs of
| various linux distros and drop a rootkit on them.
|
| Some other common targets are websites to be reused for spam
| (hello, Wordpress!) or to hijack things like gitlab (again to
| drop a rootkit.
|
| The rootkits are then usually used either for DDoS extortion
| rackets (usually against game servers, including online
| gambling), spam (might be less big today than it used to be),
| and cryptocurrency mining (from my experience mainly monero).
|
| One time it happened in a network I set up due to
| miscommunication and misunderstanding of how vendor's install
| scripts worked (by vendor technicians!). During investigation,
| we found out that this particular "kit" was sold cheaply on a
| chinese forum (used to be russian forums back in the day, eh),
| as complete package to run on Windows to attack linux hosts for
| DDoS botnet purposes.
| beastman82 wrote:
| The name for it is "authoritarian government"
| mmcnl wrote:
| I have SSH access to my server behind a VPN. Not opening port
| 22 makes life a lot easier.
| jimbobthrowawy wrote:
| I always install fail2ban or something like it on servers I
| want to have SSH on. Really cuts down on the log volume, even
| if I have locked myself out occasionally. The thing about port
| scanning is that it's cheap as hell. There's less than 4
| billion IP4 addresses and zmap can hit them all within an hour
| on a decent network connection.
| frankohn wrote:
| Some time ago I set up a server for a website and I was appalled,
| like many others, by the number of SSH connection attempts. I
| decided to open SSH only in a randomly chosen port number above
| 1024 and now I have essentially zero probing attempt. It is
| trivial but for me is a satisfying configuration.
| usr1106 wrote:
| This was true in 2018. In recent years I get 100s, sometimes
| 1000s of login attempts a day on high addresses.
|
| My servers are on AWS addresses. If someone searches for
| servers (as opposed to routers, phones etc.) AWS might be a
| preferred address range. No experience whether scan rates
| depend on the address used.
| eps wrote:
| It appears to be two-stage process.
|
| There are open port scanners that just check what ports are
| open on which IPs, and there are separate ssh login brute-
| forcers. Once your machine gets picked up by the former, the
| latter will pile up.
|
| I have two servers on adjacent IPs, both with ssh listening
| on a high port. One gets hammered with login attempts and the
| other does not.
| frankohn wrote:
| Interesting to know. For the moment, several months, I
| still have no login attempts but so that means my server
| didn't get picked up by any port scanner.
| gradschool wrote:
| This might not matter for your setup, but I would have
| thought it's bad in general to have sshd listening on a
| high port because then any non-root user who finds a way to
| crash it can replace it with his own malicious ssh server
| on the same port.
| 20after4 wrote:
| That's a good point, though you could use some firewall
| rules to rewrite the port number so that the local daemon
| is listening on the normal port but accessible via an
| alternate high numbered port.
| usr1106 wrote:
| You mean non-root local user? We don't have non-trusted
| users on the system.
|
| Well, unless the http server or our dns resolver has a
| remote code execution vulnerability.
|
| So directly I don't see the risk you describe. Of course
| considering maximum defense in depth you might have
| point.
| usr1106 wrote:
| Maybe that's the case. The machines where I am seeing a lot
| of ssh login attempts on high ports have been on the same
| IPv4 address for years. Some since 2018.
| nonamesleft wrote:
| A lot of these seem to use zmap
| (https://github.com/zmap/zmap) or masscan
| (https://github.com/robertdavidgraham/masscan) for the
| initial scan.
|
| Often with default parameters such as zmap setting ip id to
| 54321, having tcp initial window at 65535, having no SACK
| bit set and masscan with no SACK bit either, tcp initial
| window at 1024, tcp maximum segment size 1460 (which is
| strange to put below initial window size!), (older versions
| having fixed src port 61000 or 60000 from documentation
| examples and no MSS set), all of which are extremly
| uncommon in legitimate traffic and thus easily identified.
|
| Even those so called "legitimate" scanners (emphasis on the
| "") seem to use these tools with little or no extra
| configuration.
|
| With this setup the last time my high-port ssh (key-only)
| has got an attempt on it was 2023-07-26 (previous intruders
| get permanently firewalled).
| gsich wrote:
| addresses == ports in your view?
| usr1106 wrote:
| Yeah, sorry about the mistake. Too late to edit the comment
| :(
| pingec wrote:
| A bit tangential but is there a service or self hosted solution
| that would take a list of IPs and then keep scanning them
| periodically and alert me if any new ports have suddenly open?
| cranberryturkey wrote:
| hmmm....you could do that with nmap script and a cronjob.
| cranberryturkey wrote:
| I just scanned my domain for all 65k ports and it took 20
| seconds with a 10gbit pipe. i could scan yours for you and
| shoot you an email if a new port is discovered. Would charge
| you Like $100/year or something.
| bluish29 wrote:
| I think shodan could br useful in this regards
|
| https://www.shodan.io/
| lithiumii wrote:
| My new VPS got an SSH attempt in 5 minutes after I purchased it.
| I'm now in the progress of running a similar honeypot experiment.
| cess11 wrote:
| If you push it you can scan the entirety of IPv4 in about five
| minutes.
| eps wrote:
| > 8181 root
|
| In 30 days? That's tad unrealistic.
|
| Just checked and there are dozens root login attempts _per
| minute_ on my colo 'ed server in the EU. Virtually all from the
| Chinese and post-Soviet IP space. But mostly Chinese.
| nubinetwork wrote:
| I see ~1000 unique IP addresses hitting SSH every day.
| ciebie wrote:
| What is a `lockr` command? Is it file system specific or
| something? Never seen anything like this. It probably should lock
| permissions on .ssh, but how?
| jsiepkes wrote:
| If you have only public key authentication enabled with SSH I
| honestly don't understand why people bother with things like
| fail2ban. It just adds more moving parts with very little
| security gain.
|
| The real risk is a zero-day in OpenSSH and fail2ban probably
| isn't going to protect you from that. In that case you are better
| served by putting another layer of defense in front of SSH like a
| VPN.
| jcynix wrote:
| Fully agree. Limiting the networks which can access your server
| will help, e.g. limit access to just your local provider or
| your workplace and you'll see no attempts from Brazil, China,
| ... unless you are located there, of course ;-)
| ajsnigrutin wrote:
| It's all fun and games, until you travel outside of your
| country, and try to access stuff at home.
| jcynix wrote:
| That's manageable with a bit of preparation: when I'm
| travelling, I allow access from other networks, e.g. those
| from phone providers. Or add a web form where I activate
| the IP address with a cryptographically signed "token"
| which the server can verify and then add the IP address to
| the set of allowed ones.
|
| Used one or the other every now and then in the last 10+
| years and still have my attackable footprint small the rest
| of the time.
| mekster wrote:
| Repetitive log is something you appreciate by reducing and you
| don't have to give it unnecessary CPU cycles too.
| BrandoElFollito wrote:
| fail2ban is the kind of pseudo-security applied just because
| someone's cousin mentioned that in his blog.
|
| It provides zero security. If your endpoint uses default
| usernames you will be shot anyway because of IP spread. If your
| security is good you add something that will block your
| legitimate connection when you are in the middle of nowhere
| and, shit, cannot access your <some service>.
| d-z-m wrote:
| "security" is a term that has to be defined in relation to a
| threat model. If your threat model is an attacker with a
| static IP hammering your server, fail2ban does provide some
| security against that sort of attacker.
| BrandoElFollito wrote:
| No it does not. If the packet is at your door it is too
| late already. Then either it does not matter in which case
| you do nothing, or it matters (DoS) and then you have other
| problems.
|
| You are right that security works in the context of a
| threat model. There are however useless tools that give a
| false sense of "security" that do not fit in any reasonable
| model.
|
| I have cases where I block whole ranges of IPs for "legal"
| reasons - it does not make sense but there you are, the
| ones who write the rules are not the ones who actually know
| the stuff.
| SahAssar wrote:
| If your server is on the internet with a public ssh server
| then it is probably providing some sort of internet
| service. That internet service is almost always easier to
| DoS than your openSSH server. If you are not providing a
| internet service then why is your SSH open to the internet?
| kloop wrote:
| > If you are not providing a internet service then why is
| your SSH open to the internet?
|
| So that I can ssh into it from various places and do
| stuff on my home server from elsewhere
| SahAssar wrote:
| So you are accessing that server's services from some
| network, why are you not only allowing SSH over that
| network?
|
| Or, if your service is open to the internet then why does
| not what I said above hold true?
| kloop wrote:
| I guess I am technically, but only for myself
| SahAssar wrote:
| What is the networking difference between a service for
| yourself that you want to access from "various places"
| and a public service with auth checks for your key?
| jszymborski wrote:
| Maybe the service is provided over SSH via e.g. port-
| forwarding (or is simply "SSH access to a server").
| SahAssar wrote:
| Sure, but are L7 attacks easier than L4 against those
| servers? Adding more layers/software has a cost in
| configuration, maintenance, attack-surface, etc.
| zbentley wrote:
| You're not wrong, but I'd say fail2ban still has value for
| junior operators seeking to _reduce load and increase
| stability_. If you don 't know how to harden SSH, fail2ban is
| offers a much friendlier way to reduce the volume of logspam,
| CPU burn, and network traffic. It's just a pity that it's
| understood/documented/pitched as something that substantially
| increases security.
| BrandoElFollito wrote:
| > If you don't know how to harden SSH
|
| then you do not open it to Internet. Otherwise you patch
| aggressively, you use ssh keys and not passwords and you
| move it to some random port to hide it a bit (it actually
| helps)
|
| > logspam
|
| you can filter this out in your log management tool
|
| > CPU burn
|
| if this is your concern, then you have a hep of issues you
| need to address. I have never seen a CPU perf hit because
| of such behaviour (there are cases where it happens,
| butthis is due to a vulnerability of the service)
|
| > network traffic
|
| the packet is here already, there is nothing to reduce
| Karunamon wrote:
| Moving ssh off of port 22 makes it a pain in the ass to
| work with. Ports are standardized for a reason.
|
| Authentication attempts are a useful security signal; I
| don't want to filter them out. I want hosts running
| dictionary attacks to not be able to connect to my
| services in the first place. If you are running an SSH
| bot, then I don't want you on my website or anything
| else.
| BrandoElFollito wrote:
| > Moving ssh off of port 22 makes it a pain in the ass to
| work with. Ports are standardized for a reason.
|
| yes, they were standardized in the ol' good times :) If
| you have a limited amount of people/services connecting
| then it is manageable. But of course YMMV.
|
| > Authentication attempts are a useful security signal; I
| don't want to filter them out. I want hosts running
| dictionary attacks to not be able to connect to my
| services in the first place. If you are running an SSH
| bot, then I don't want you on my website or anything
| else.
|
| enumeration and brute force on SSH fail by design when
| using keys.
|
| As for other services I do not see how this helps - you
| will block random IPs hoping that a vulnerable site is
| not taken over if they happen to get back. It is not
| common (at least in my monitoring of several honeypots in
| various locations) to have the same IP being particularly
| visible. Sure they are back sometimes but this is quite
| exceptional. Anyway - it is not worth the hassle, better
| have proper hardening.
| throwitaway1123 wrote:
| > yes, they were standardized in the ol' good times :) If
| you have a limited amount of people/services connecting
| then it is manageable. But of course YMMV.
|
| Agreed. I've never found it difficult to manage this. I
| already tend to configure SSH hosts in my ~/.ssh/config
| file anyway so that I don't have to remember every IP and
| port combination for every host I have access to when I
| want to use SSH (or something that relies on the SSH
| protocol like rsync or scp).
| mmsc wrote:
| People don't believe it's possible for software to be secure,
| and need a secondary defense to "protect them".
| catalypso wrote:
| > People don't believe it's possible for software to be
| secure
|
| Rightfully so. You'd statistically be almost always right
| considering a software unsecure given enough time (for the
| vulnerabilities to be introduced then found).
|
| > need a secondary defense to "protect them"
|
| Nothing wrong with that. It's called Defense in Depth and
| is rather advised. Once you understand that security
| measures are not bulletproof, stacking them proves to be an
| easy way to increase protection.
|
| The case of fail2ban is not trivial: reducing log noise is
| a great perk, and can indirectly help with monitoring
| (you'd more easily notice suspicious behaviour if it's the
| only thing on your logs), but it comes at the small cost of
| setting it up, and accepting the risk of having a shared IP
| unwillingly blocked.
| marcosdumay wrote:
| Except that it explicitly doesn't protect against security
| bugs.
| eikenberry wrote:
| I always read the main use case had nothing to do with
| security, but was to reduce log spam.
| ars wrote:
| fail2ban increases your server performance. It cuts down on
| enormous amounts of logging from failed attempts, and reduces
| the CPU used to deal with the failures.
|
| Some sites get a mind boggling amount of attempts. For
| example I sysadmin some Jewish sites, and they get
| exponentially more hacking attempts than the sites not mainly
| used by Jews. (This was before the current war mind you, I'm
| sure it's worse now.)
| Too wrote:
| How do you protect your vpn?
| d-z-m wrote:
| use a vpn that does not advertise its presence, like
| wireguard.
| pompompurin wrote:
| How did he expose his honeypots and make the bots aware of his
| existence?
| themoonisachees wrote:
| If your server has something that listens on port 22, you just
| have to wait for like 5 minutes
| nilsherzig wrote:
| Check out https://viz.greynoise.io/ especially the trends >
| anomalies tab is very interesting
| jslakro wrote:
| How do you use that information?
| jcynix wrote:
| I've been running self-hosted servers for the last 25+ years
| without an incident and its less complicated than it might seem
| if you learn a bit about securing unix-based systems (ok, I
| already had 10+ years of server admin knowhow for various
| systems, but anyway, it's not rocket science ;-). Yes, an hour or
| so after you connect any machine to the Internet, you'll see
| attempts to "talk" to your server. So don't wait to set up basic
| security. But it actually has never been so easy to "just give it
| a try" (see below), with all the virtual offerings today. So
| here's a short/raw sketch of basic things you'd need to do:
|
| 1. 25+ years ago I used http://easyfwgen.morizot.net/ to generate
| an iptables based local firewall. Still works fine (then and now
| tweaking some things) and allows only certain ports too be
| accessed at all. I just open email, ssh and a web server.
|
| The generator is well documented and still works, although it
| would be nice to see an updated version to newer firewall
| software like pf.
|
| 2. server configs:
|
| edit /etc/hosts.deny --> restrict all by default
| ALL: ALL
|
| edit /etc/hosts.allow --> allow your service providers networks,
| e.g. sshd: .t-dialin.net sshd:
| .dip0.t-ipconnect.de
|
| So you can connect to your machine for further setup, but not the
| whole world.
|
| 3. set up sshd:
|
| edit /etc/ssh/sshd.config # allow key-based
| access only PasswordAuthentication no
|
| Maybe change sshd's port (reduces log file entries) but don't
| forget to allow this port in your iptables setup and your
| /etc/hosts.allow
|
| People have opinions an key-based access, I know. But my private
| and public key is stored in various secure locations, including
| my phone (password safe) and I can access my server even from my
| Android phone or tables via Termux.
|
| 4. set up email (I suggest postfix as an MTA):
|
| configure restrictions in /etc/postfix/main.cf, e.g.
| # restrictions in the context of the RCPT TO command
| smtpd_recipient_restrictions =
| reject_invalid_hostname, reject_non_fqdn_hostname,
| reject_non_fqdn_sender, reject_non_fqdn_recipient,
| check_sender_access hash:/etc/postfix/sender_access,
| reject_unknown_sender_domain,
| reject_unknown_recipient_domain, permit_mynetworks,
| reject_unauth_destination, [...] #
| restrictions for clients connecting
| smtpd_client_restrictions =
| reject_unauth_destination, check_client_access
| hash:/etc/postfix/access_client,
| reject_unknown_client, reject_unauth_pipelining
|
| This heavily reduces the amount of spam you'll see. I add
| greylisting too, as this even nowadays reduces even more unwanted
| traffic. Combine that with spamassassin if you like. This setup
| gives me maybe one spam per day reaching my inbox (actually the
| spam subfolder).
|
| 5. Learn by doing (not just reading stuff on the Internets ;-),
| that is, set up a machine, e.g.
|
| If you'd like to experiment a bit, take a look at Hetzner's
| unexpensive cloud servers, these are easy to set up (incl. a
| virtual firewall in front of it) and take down after some
| experiments of a failure. You can do this in Hetzner's web
| interface, even if you misconfigure your server to be
| unaccessible. Cf.
|
| https://docs.hetzner.com/cloud/servers/overview/
|
| Tip: Hetzner's web interface allows you to pre-define an ssh key
| which they'll install automatically on your new machine (but they
| leave password login enabled, so change that asap).
|
| Disclaimer: I'm just a happy customer, no other relation. And it
| might be as easy to do this with Digital Ocean, which have some
| nice tutorials too, for example on the set up of a web server:
|
| https://www.digitalocean.com/community/tutorials/how-to-inst...
|
| Last but not least No Starch Press overs some nice books like
| "How Linux Works" or "The Linux Command Line" (if you're not sure
| about that) or even "Linux Firewalls: Attack Detection and
| Response" ...
|
| You learn most by trying.
|
| I'm now heading for the beach to enjoy some offline adventures
| and will answer questions later if needed.
| simonmysun wrote:
| Coincidently, I recently visualized the scanners for fun by
| plotting them on a globe[1]. It gives a more comprehensive view
| of the locations and ASNs of the scanners. The demo data is
| generated from 1 day of logs.
|
| [1]: https://github.com/simonmysun/where-are-the-scanners
|
| Amazingly there's no request from same ASN. I believe this is
| because the VPS provider has a quite strict validation process,
| e.g. you have to upload a photo of yourself with your ID and your
| handwritten username, etc. I would suggest we consider the
| reputation or credibility of the data centers so that the data
| centers have the motivation of banning such users. In my case, a
| lot of the requests were sent from Tencent or Alibaba data
| centers.
| nisa wrote:
| Somewhat related due to a weak password a mail server from a
| community I'm involved in send out lot's of spam mail, after
| analysing the log files I've had over 1500 different IP addresses
| that logged in to send spam, about 10 mails for each address. ASN
| and subnets where spread across over the whole world. It seems
| like these attacks are coordinated using vast botnets and the use
| of single ssh public key here seems to confirm this. I had
| similar experiences going after attacks on WordPress instances
| and there I've also found attacks spread out across lots of
| hosts.
|
| I'm wondering if it's possible to pin down those behind these
| attacks, there must be mistakes.
| mianos wrote:
| Over 90% of the ssh logins come from just a few China Telecom
| addresses. They just keep trying random ssh accounts over and
| over all day. I just geoblock China now. Maybe occasionally
| unblock it for a few minutes if the kids want to buy something
| from Shien. Then I honeypot the rest with the continuous ssh
| banner script.
| m0rde wrote:
| What's a continuous ssh banner script?
| throwitaway1123 wrote:
| It's a tarpit that slowly sends a message to bots to keep
| them (and their bandwidth, memory, and CPUs) occupied:
| https://github.com/skeeto/endlessh?tab=readme-ov-file
| figassis wrote:
| Most of this nonsense disappeared when I adopted wireguard and
| later Tailscale.
| tanepiper wrote:
| We run internal sites that are on the public facing web - the
| logs from Akamai are a daily list of mostly the same requests to
| find unsecured Wordpress and MySQL installs, .cgi and php files
| and paths like "..%C0%AF../..%C0%AF../..%C0%AF../..%C0%AF../..%C0
| %AF../..%C0%AF../etc/profile"
|
| In 24 hours theres anywhere from 7000-9000 log events just from
| the CDN
| microbass wrote:
| A perfect example of why one should use SSH over a mesh network
| like Tailscale, and don't expose over the public internet. No
| attack surface means no attack.
| stanac wrote:
| I love TS just for this reason. All ports are locked and ssh-
| ing is possible only via TS. And for public facing web apps I
| open only 80 and 443.
|
| Does anyone have any experience with CF tunnels on free
| account? Is it actually free for smaller apps with less than
| 1TB of traffic per month? I was wondering about switching to CF
| tunnel which would mean I could also close 80 and 443 ports and
| block China (because I read somewhere that most of DDOS attacks
| come from Chinese locale botnets).
| andylynch wrote:
| Yes, CF tunnels are $0 for very small users. I have this, as
| do many others, as a reverse proxy for stuff like Home
| Assistant and it works great.
| stanac wrote:
| Thank you, I'll have to try them
| microbass wrote:
| For some additional peace of mind, you could also use
| something like Authentik in front of your web apps, so you
| don't expose the apps themselves, only Authentik. You can
| then use the IDP of your choice within Authentik for
| authentication.
| stanac wrote:
| Thanks, I was thinking about small but public project.
| chickenfish wrote:
| I guess may the compromised host was probably also use same weak
| password as it's Brute force other host.
| hugocbp wrote:
| Amazing article!
|
| It is actually amazing how fast and thorough the connection
| attempts happen as soon as you put anything online.
|
| I've been playing around Hetzner and Coolify recently, and notice
| that, as soon as port 22 is opened, it is bombarded by those
| attempts. Several per second. It might be due to Hetzner IPs
| being reused, but happened to me every single time. Same with
| Postgres default port (those were the ones I've seen).
|
| I have defaulted to use Terraform and bash to only open those
| ports in the Hetzner firewall (and more common ones like 3000 or
| 8000) to my own current ip. It does mean I'll get drift and need
| to reapply the Terraform code if I change ips, but seems to be at
| least one way to defend.
|
| I fear that a lot of devs jumping into the "you only need a VPS"
| crowd on Twitter will end up with a huge attack surface on their
| apps and machines and most won't even know they are being
| targeted like that most of the time.
|
| To this day I still find it hard to find a comprehensive security
| guide for those newer Linux fresh boxes (and the ones you find
| are all so very different with different suggestions). If anyone
| knows of a good one, please share with me!
| e12e wrote:
| I would recommend just using a VPN, like tailscale, for all
| non-public resources - rather than IP whitelisting.
|
| Ed: including private web services like self-hosted gitlab not
| used for publishing public projects.
| fsmv wrote:
| You just need to turn off password authentication so it's keys
| only. They can attempt logins all they want and never get in.
|
| Also if you run ssh on a nonstandard port you get many fewer
| attempts. There are several groups that constantly scan all of
| ipv4 for open ports, if you use ipv6 they cannot scan that
| space anymore.
|
| Optionally you can set up fail2ban but I find it's not a big
| deal.
| ogud2025 wrote:
| I changed my SSH configuration to only listen on an IPv6
| address 6 months ago and since then the number of SSH attacks
| has fallen from 1000+/day to less than 10/week.
| FredPret wrote:
| I simply block traffic from countries where I do not do business
| in.
|
| I used to see constant attempts to mess with Wordpress URLs,
| which I know is not legitimate because I don't run Wordpress.
|
| Cutting out Russia & China basically removed this problem. I
| really hate locking up my tiny corner of the internet but I don't
| see another way.
| oopsallmagic wrote:
| Waiting for the whatabout crew to show up asking what you'll do
| if the website for Joe's Barbecue and Grill needs to be
| accessible from Moscow.
| msephton wrote:
| I wanted to read more about the interesting part!
| e40 wrote:
| We use port knocking and haven't had a single hack attempt in
| many years.
| gunapologist99 wrote:
| > In conclusion, these commands represent a clear strategy to
| infiltrate, assess, and establish control over targeted systems.
|
| Oh hello, ChatGPT. You seem to be everywhere these days.
| throw156754228 wrote:
| My website backend APIs get repeated attempts at javascript
| prototype injection, all day, every day.
| bobbob1921 wrote:
| Not sure if op will see this, but with regard to his comments on
| MikroTik routers and frequently seeing in his honeypot logs, the
| command: /ip cloud print
|
| he is correct, This is a MikroTik command- although mikrotik has
| this feature, disabled/ off by default, a lot of users make use
| of it, and running that command will (if cloud dns enabled), will
| show the dynamic DNS entry of the device he is connected to. Ie
| if the cloud DNS is enabled, the output from that command will be
| something like: Detected public ip: 34.2.82.3 DynDns:
| djwisyehd.clouddns.mikrotik.com (which will always be updated to
| the detected public IP address of the router)
|
| So I assume the attackers run this command so that they can still
| reach the router in case it's public IP address changes at some
| point. (And assuming that the device will still be accessible
| after any public IP address changes).
|
| (or perhaps they run that command to see if the cloud DNS service
| is disabled, which is the default, in which case they will then
| enable it so that they will have a dynamic DNS entry for the
| device).
| charles_f wrote:
| I opened my personal server's 22 to the world because I screwed
| up my vpn config a couple weeks ago. I just had a look at the
| auth log and closed it again. It is non-stop.
| slt2021 wrote:
| dont ever run publicly exposed production SSH. If there is
| vulnerability in your version of ssh, you risk getting pwned.
| RecycledEle wrote:
| I am amazed we have not yet said "Hands off!" and coordinated
| physical interventions against the scum who attack our electronic
| brains.
|
| Is it so hard to kick in the doors of those whose IP addresses
| are used to try to hack honeypots?
|
| This lack of action is why I oppose all law enforcement. Until
| they do their jobs, they do not need to be paid.
| braza wrote:
| (Long shot) I really would like to USA a spare machine for web
| serving a Jupyter Notebook server, but I did not found a single
| resource that blocks everyone except a single IP or something
| like this. Supper annoying to pay some cloud providers to have a
| resource that I already have.
| josephcsible wrote:
| > 1016 cd ~; chattr -ia .ssh; lockr -ia .ssh
|
| Does anyone know what the "lockr" command is? I can't find any
| references to it besides people saying they observed malware
| trying to run it, usually (as is the case here) right after a
| chattr command with the same arguments.
| Kikawala wrote:
| https://www.lockr.io/
| josephcsible wrote:
| I think that's something totally unrelated that just happens
| to have the same name. I don't see anything in their docs
| that even hints at a UNIX command called "lockr", let alone
| one that makes sense to call like that.
| ars wrote:
| https://blog.netlab.360.com/icnanker-trojan-downloader-shc-e...
| has: cp -f /usr/bin/chattr /usr/bin/lockr
| JZL003 wrote:
| How do people feel about using docker as a way of avoiding 0 day
| vulnerability
|
| It's all for personal use and maybe I'm just cosplaying as a
| sysadmin but I have apache proxy-pass ing to sets of docker
| containers. So as long as apache and ssh are kept up to date (on
| nixos), even if all my services are 0 day'd, they have to also
| escape the docker containment
___________________________________________________________________
(page generated 2024-06-16 23:01 UTC)