In the past two weeks I set up a new VPS, and I run a small experiment. I share the results for those who are curious.
Consider that this is a backup server only, meaning that there is no outgoing traffic unless a backup is actually to be recovered, or as we will see, because of sshd.
I initially left the standard “port 22 open to the world” for 4-5 days, I then moved sshd to a different port (still open to the whole world), and finally I closed everything and turned on tailscale. You find a visualization of the resulting egress traffic in the image. Different colors are different areas of the world. Ignore the orange spikes which were my own ssh connections to set up stuff.
Main points:
-
there were about 10 Mb of egress per day due just to sshd answering to scanners. Not to mention the cluttering of access logs.
-
moving to a non standard port is reasonably sufficient to avoid traffic and log cluttering even without IP restrictions
-
Tailscale causes a bit of traffic, negligible of course, but continuous.
You must log in or register to comment.
I’ll take that tiny amount of traffic telling scanners there’s no password auth over having to remember port settings for ssh, scp and rsync any day.
For me it’s not about the traffic, more the log spam.
Generally I’ll have :22 enabled internally, and anything non-standard is defined in
~/.ssh/configand shared out so I don’t have to remember things.Fair point. These logs are only useless chatter anyway for everyone with proper key auth.
My configs remember stuff for me.
vim ~/.ssh/configYeah, but how do you close VIM then? Restarting the computer takes some time!!!111
Checkmate!!
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:
Fewer Letters More Letters IP Internet Protocol SSH Secure Shell for remote terminal access VPN Virtual Private Network VPS Virtual Private Server (opposed to shared hosting)
4 acronyms in this thread; the most compressed thread commented on today has 20 acronyms.
[Thread #42 for this sub, first seen 14th Aug 2023, 15:55] [FAQ] [Full list] [Contact] [Source code]
Good bot!
10mb is pretty much nothing. May as well just use Fail2Ban.
For management ports, I set up a firewall on the VPS to only respond to connections from known IPs.
Or, you know, just use key auth only and fail2ban. Putting sshd behind another port only buys you a little time.
Public key auth, and fail2ban on an extremely strict mode with scaling bantime works well enough for me to leave 22 open.
Fail2ban will ban people for even checking if the port is open.
You really shouldn’t have something kike SSHD open to the world, that’s just an unnecessary atrack surface. Instead, run a VPN on the server (or even one for a network if you have several servers on one subnet), connect to that then ssh to your server. The advantage is that a well setup VPN simply won’t respond to an invalid connection, and to an attacker, looks just like the firewall dropping the packet. Wireguard is good for this, and easy to configure. OpenVPN is pretty solid too.
You say this and are downvoted.
While we are coming off the tail of Def Con where there where a plethora or small talks and live examples of taking advantage and abusing just this.
Just trying to parse your comment, I assume your first “this” and second “this” are referring to different things, right?
The best reason is reducing attack surface. It’s such an easy thing to do. I don’t know why people still expose services they don’t need to.
Moving the port doesn’t reduce attack surface. It’s the same amount of surface.
Tailscale is a bit controversial because it requires a 3rd party to validate connections, a 3rd party that is a large target for threat actors, and is reliant on profitability to stay online.
I would recommend a client VPN like wireguard, or SSH being validated using signed keys against a certificate authority your control, with fail2ban.
I’d favour own VPN instead of relying on an additional third party
Right? PiVPN is easy AF and uses WireGuard. No reason not to set up something yourself if you’re already selfhosting.
Please ELI5: How does this solution work? You tunnel yourself in your home network with a VPN on your PI? How is that safer, isn’t there still a port open?
Now try IPv6 only :P
ITT: People who don’t understand Tailscale or are allergic to it for ‘reasons’
As others have already said, set up a VPN like wireguard, connect to the VPN and then SSH to the server. No need to open ports for SSH.
I do have port 22 open on my network, but it’s forwarded to an SSH tarpit: https://github.com/skeeto/endlessh
