[olug] Shell accounts? [OT?]

Lou Duchez lou at paprikash.com
Tue Sep 26 23:10:02 CDT 2017


Non-default port for SSH, and Fail2ban, will keep you pretty safe too.

And of course allow SSH-ing only to low-privilege accounts, from which 
you must sudo or su to do root activities.

> On Thu, Sep 14, 2017 at 9:40 AM, Ben Hollingsworth <obiwan at jedi.com> wrote:
>
>> The biggest bummer, nostalgia aside, is SSH access.  In order to keep the
>> log file noise to a minimum, my home firewall restricts which IP blocks are
>> allowed to SSH into my home computer.  On the rare occasion when I need to
>> SSH in from an unapproved network, I was always able to SSH into falcon
>> first, then jump from there to my home machine.  That route is no longer an
>> option, so I'll probably have to open up the firewall again.  Or maybe I
>> can just paint with a bigger brush & block foreign IP's using that list
>> that somebody posted recently.
>>
> Someone mentioned port-knocking, which can be a handy solution for this.
> Another option that can significantly reduce the log noise is to use
> iptables to minimize or prevent brute-force SSH attacks.
>
> Replace the iptables rule on your box that is allowing TCP port 22 with the
> following:
>
> iptables -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m
> hashlimit --hashlimit-mode srcip --hashlimit-upto 1/min --hashlimit-burst 4
> --hashlimit-name ssh -j ACCEPT
>
> That will limit new TCP connection attempts to a rate of 1 per minute, with
> a burst of 4 allowed per source IP.  Basically, anyone who makes repeated
> ssh attempts to quickly will automatically have their connection attempts
> dropped.  The most attempts they make, the longer they get blocked.  The
> best thing about it is that it requires no maintenance or external
> applications (like fail2ban), and is very "fire and forget" for low
> connection rate protocols like SSH.
>
> One other handy option, you can keep SSH blocked from the outside, and use
> something like OpenVPN to connect remotely.  Then, after establishing a VPN
> session to your computer externally, you can SSH across the VPN to not
> expose SSH publicly.  This can also give you some additional access
> benefits to your system.
>
> For the ultimate in remote shell flexibility, I'll echo another suggestion
> that was thrown out, too: Linode.  I've been using Linode.com for 10 years
> now, and I can't recommend them enough.  They're Virtual Private Server
> (VPS) hosting by geeks/engineers for geeks/engineers.
>


More information about the OLUG mailing list