Technical Discussion
  >> Home Networking, Internet Connection Sharing, etc.


Register (or login) on our website and you will not see this ad.


Pages in this thread: 1 | 2 | 3 | 4 | 5 | (show all)   Print Thread
Standard User Woolwich
(committed) Sat 20-Jun-20 14:31:10
Print Post

VPN site to site connection speeds


[link to this post]
 
I have a couple of FritzBox routers at two locations set up with a site to site VPN always on. Works well, easy to see and access files at the 'other' location.

But when it comes to transferring large amount of data its quite slow. And my FTTC connection isn't anywhere near saturated. There's going to be some overhead for the VPN, but how much?

There's a 80/20 FTTC connection at one end sending to a 40/10 on the same ISP. So you'd think you could send at getting on for 20 Mb/s less what ever for the VPN as the receiving end can easily download that bandwidth. Especially as there's nothing else on the connection over the weekend.

Currently it sending at around 5000kb/s. The receiving FritzBox agrees! Surely I could be transferring at around twice that, maybe even up to 15 Mb/s?
Standard User caffn8me
(eat-sleep-adslguide) Sat 20-Jun-20 15:39:26
Print Post

Re: VPN site to site connection speeds


[re: Woolwich] [link to this post]
 
I haven't played with Fritz!Box VPNs but their website does make mention of slow VPNs for the 7490 at https://en.avm.de/service/fritzbox/fritzbox-7490/kno...

My home internet connection is showing averaged speed test results of 73.0Mbps down and 18.6Mbps up over the past week.

I've just tested with iperf3 over a VPN to a site in France and I can get 68.5Mbps down and 17.3Mbps up. That's 93-94% of the direct internet speed so less than 7% overhead.

I do have dedicated business grade firewalls at both sites though with a maximum rated VPN throughput on the slower device of 250Mbps. I'm using the highest grade encryption with PFS that the devices have shared support for, and IKEv2 IPSec.

Other VPN methods will have slightly different overheads but I would imagine usually less than 10%

I think in your case the Fritz!Box it's likely to have run out of steam due to the encryption processing required. There are reports that the really inexpensive Ubiquiti Edgerouter X can cope with much higher VPN throughputs and I will likely have one to play with next week. I'll let you know how I get on.

Sarah

--
If I can't drink my bowl of coffee three times daily, then in my torment, I will shrivel up like a piece of roast goat

Spiders on coffee - Badass spiders on drugs
Standard User prlzx
(experienced) Sat 20-Jun-20 16:24:59
Print Post

Re: VPN site to site connection speeds


[re: caffn8me] [link to this post]
 
VPN endpoints which can use AES-GCM (a type of counter mode) often perform better for IPSec throughput.

From experience I'm aware that both pfSense and EdgeMax router have hardware assisted/accelerated IPSec throughput and subject to being able to choose an encryption algorithm which both ends can take advantage of.

Wireguard also looks interesting as something to watch.



prlzx on iDNET: FTTC (VDSL) at ~40Mbps / 10Mbps
with IP4/6 (no v6? - not true Internet)

Edited by prlzx (Sat 20-Jun-20 16:44:43)


Register (or login) on our website and you will not see this ad.

Standard User Woolwich
(committed) Sat 20-Jun-20 16:54:54
Print Post

Re: VPN site to site connection speeds


[re: caffn8me] [link to this post]
 
In reply to a post by caffn8me:
I haven't played with Fritz!Box VPNs but their website does make mention of slow VPNs for the 7490

I'd seen that page but assumed it was a general article rather than specific to that router.
t the really inexpensive Ubiquiti Edgerouter X can cope with much higher VPN throughputs and I will likely have one to play with next week. I'll let you know how I get on.


Yes please. And a link meanwhile cos I can't see much mention on the page I found. I like the FritzBox, it does everything I want in a single box - modem, 1GB four port Ethernet, DECT and VoIP (& WiFi!). Plus we have more than two to create VPN links between offices. Maybe I need some kind of VPN firewall type thing? If that's the case, where does it physically fit in my setup?

Thanks!
Standard User prlzx
(experienced) Sat 20-Jun-20 17:03:48
Print Post

Re: VPN site to site connection speeds


[re: Woolwich] [link to this post]
 
For EdgeMax router, I've found the following KB articles useful in the past

Hardware Offloading support

Site-to-Site IPSec VPN, Route based (VTIs)

Now that pfSense has VTI support I will be reviewing the latter for some more inter-site work.
I wish Ubqiuiti would implement the GCM offload - seems to depend what the SoC vendor / SDK / is able to expose though.



prlzx on iDNET: FTTC (VDSL) at ~40Mbps / 10Mbps
with IP4/6 (no v6? - not true Internet)
Standard User Woolwich
(committed) Sat 20-Jun-20 17:24:00
Print Post

Re: VPN site to site connection speeds


[re: prlzx] [link to this post]
 
In reply to a post by prlzx:
For EdgeMax router, I've found the following KB articles useful in the past

OK, er, thanks! So its cheap but it's all command line. And according to the reviews it takes a day to set it up - if you know the flavour of Linux it speaks.

If I accept the VPN on the FritzBox is my problem, can't I get a simple VPN box that's simple to set up via a GUI to do the connections?

Or, maybe the FB is F'd and need replacing. How could I test the speed to see if its running at full steam on the LAN. Cos if its not, different solution maybe required.
Standard User caffn8me
(eat-sleep-adslguide) Sat 20-Jun-20 17:59:04
Print Post

Re: VPN site to site connection speeds


[re: Woolwich] [link to this post]
 
The Edgerouter X (ER-X) does have a web interface which can be used to set up VPNs. I've never done an ER-X to ER-X VPN but I've done an ER-X to WatchGuard VPN using virtual tunnel interfaces and it worked well.

It should be possible to connect the ER-X to a port on the Fritz!Box and set the ER-X's LAN IP address as a static route on the Fritz!Box for the remote LAN IP subnet. Obviously you need to do this at both ends. Whether or not you can set up a static route may depend on Fritz!Box model. It's certainly doable on the 7490 because there's a guide here. I'll have a look at the 7530 in a minute or three.

I haven't actually tried this but there's no reason it shouldn't work. You may need to play around with MTU and/or TCP MSS on the ER-X to get maximum throughput.

I'll get an ER-X to play with next week and let you know how I get on. I've got several at client sites but not in a VPN scenario.

Sarah

--
If I can't drink my bowl of coffee three times daily, then in my torment, I will shrivel up like a piece of roast goat

Spiders on coffee - Badass spiders on drugs
ISP Representative uno
(isp) Sat 20-Jun-20 18:07:08
Print Post

Re: VPN site to site connection speeds


[re: caffn8me] [link to this post]
 
In reply to a post by caffn8me:
I'll get an ER-X to play with next week and let you know how I get on. I've got several at client sites but not in a VPN scenario.


WireGuard is worth a try too. Config is manually done and you have to load some third party software but performance is far better what the ER and even USG3/4 come with (similar Vyatta core).

Matt

uno Communications
t: 0333 773 7700
uno Speedtest
The above post has been made by an ISP REPRESENTATIVE (although not necessarily the ISP being discussed in the post).
Standard User caffn8me
(eat-sleep-adslguide) Sat 20-Jun-20 18:08:38
Print Post

Re: VPN site to site connection speeds


[re: caffn8me] [link to this post]
 
In reply to a post by caffn8me:
Whether or not you can set up a static route may depend on Fritz!Box model. <snip> I'll have a look at the 7530 in a minute or three.
No, it doesn't seem to be possible on a 7530 as taken brand new out of the box. I can't see a VPN option either but I may be blind. Food is calling smile

Edit: Enable advanced settings and static routes are possible on the 7530 smile

Sarah

--
If I can't drink my bowl of coffee three times daily, then in my torment, I will shrivel up like a piece of roast goat

Spiders on coffee - Badass spiders on drugs

Edited by caffn8me (Sat 20-Jun-20 18:10:31)

Standard User Woolwich
(committed) Sat 20-Jun-20 18:22:37
Print Post

Re: VPN site to site connection speeds


[re: caffn8me] [link to this post]
 
In reply to a post by caffn8me:
The Edgerouter X (ER-X) does have a web interface which can be used to set up VPNs.


Lots to research 'n' learn then.....

I have the 7490, don't care about the others. In fact we have four and at leats three are connected together on LAN to LAN VPNs. So my solution needs to allow for VPN links between three or four locations so each can access both the HQ and other branch locations.
Standard User Woolwich
(committed) Sun 21-Jun-20 13:14:16
Print Post

Re: VPN site to site connection speeds


[re: Woolwich] [link to this post]
 
So for the moment, and maybe as a medium to long term solution, I'm uploading a large set of files over rsync. That's saturating the 20Mbs upload so can't ask for more. At the download end I see spikes up to 30Mbs, but how reliable that is only FritzBox could say.

The low speed VPN works well enough for file sharing and access to the central file server. But for big data movements maybe rsync is the way to go. Saves the expense of new VPN routers and configuration.

What could go wrong?
Standard User caffn8me
(eat-sleep-adslguide) Sun 21-Jun-20 15:48:34
Print Post

Re: VPN site to site connection speeds


[re: Woolwich] [link to this post]
 
I use rsync reliably on a cron job every fifteen minutes between two sites. Although they're both connected by VPN the rsync uses SSH directly over the internet with appropriate firewall rules in place.

Sarah

--
If I can't drink my bowl of coffee three times daily, then in my torment, I will shrivel up like a piece of roast goat

Spiders on coffee - Badass spiders on drugs
Standard User Woolwich
(committed) Sun 21-Jun-20 18:50:03
Print Post

Re: VPN site to site connection speeds


[re: caffn8me] [link to this post]
 
In reply to a post by caffn8me:
I use rsync reliably on a cron job every fifteen minutes between two sites. Although they're both connected by VPN the rsync uses SSH directly over the internet with appropriate firewall rules in place.

Same setup then but I only need rsync once a day. What are "appropriate firewall rules in place"? Just, you know, checking...
Standard User jabuzzard
(committed) Sun 21-Jun-20 21:45:00
Print Post

Re: VPN site to site connection speeds


[re: Woolwich] [link to this post]
 
In my experience the appropriate firewall rules for SSH are to rate limit connections. You could have a allow list for IP address, but for a bunch of the servers I run that is a none starter. Think login nodes for a HPC cluster and our users are coming from all over the place. And no my servers didn't get hacked unlike a bunch of other HPC sites inthe UK and Europe smile The collective experience is you can't trust fricking users because they generate private SSH keys that are not protected with a passphrase, and you can't check what the idiots are doing. Consequently SSH key logins have been disabled (never liked them for this very reason). So decent password, three unsuccessful logins IP banned for 5 minutes. Sure the user might write the password down (though this is super unlikely in our scenario as it's their AD password and it's regularly needed). However some state sponsored hacker in China cant see the postit note in your draw unlike your SSH key.

Oh and I would strongly recommend making sure your known_hosts file is hashed. Default on Ubuntu/Debian, not on RHEL derivatives.

On a related note I have setup site to site VPN's between two Edgerouters, and between an Edgerouter and a Draytek. Though I can't get a CentOS 7 box to talk to an Edgerouter. I tend not to use the web interface on the Edgerouters. In fact I can't think when I last logged on, I have a feeling they may be disabled.
Standard User caffn8me
(eat-sleep-adslguide) Mon 22-Jun-20 17:03:19
Print Post

Re: VPN site to site connection speeds


[re: Woolwich] [link to this post]
 
Opening up SSH to the outside world is obviously a security risk as some folks have recently discovered.

In my case, appropriate firewall rules means allowing inbound access from specific IP addresses to these servers. All my servers run SSH but not all are accessible from any IP address.

I do run some SSH servers accessible from everywhere (except for countries I've decided are rogue) and for these I run SSH on a non-standard port. I know people will say "but if people scan you they will find your SSH servers anyway" but that's highly unlikely.

Most SSH scans target port 22 and any IP address attempting to connect to me on this port gets autoblocked for a significant period of time. Also, a port scan results in an automatic block for a long time.

If someone does find my SSH server by chance (which has never happened, and I've got the logs to prove it) then they get three attempts at the password before Fail2ban locks them out - again for a significant time. Even if they get the username and password correct, they still need to use multifactor authentication - which is tied to devices in my possession smile

Sarah

--
If I can't drink my bowl of coffee three times daily, then in my torment, I will shrivel up like a piece of roast goat

Spiders on coffee - Badass spiders on drugs
Standard User Woolwich
(committed) Tue 23-Jun-20 08:37:40
Print Post

Re: VPN site to site connection speeds


[re: caffn8me] [link to this post]
 
Thanks for this, all good advice.

In reply to a post by caffn8me:
All my servers run SSH but not all are accessible from any IP address.

I do run some SSH servers accessible from everywhere (except for countries I've decided are rogue) and for these I run SSH on a non-standard port. I know people will say "but if people scan you they will find your SSH servers anyway" but that's highly unlikely.


I have laptop users setup with backup software which runs every hour or so. They move around, their IP changes. So a non-standard SSH port might be a good idea for me. Why is it "highly" unlikely scanners will find that port? Do you recommend any (or a range)? Did I recently read ports for SSH should be below a certain number? 1024 perhaps? I've seen 2222 suggested in the past.

Even if they get the username and password correct, they still need to use multifactor authentication - which is tied to devices in my possession smile


How can that work for an automated backup script or app? I set the app up to connect to port whatever using name and password. I think that's the limit of what it can do. Long and complex passwords? Or is that another myth? Non-standard usernames maybe?

Thanks again.
Standard User jchamier
(eat-sleep-adslguide) Tue 23-Jun-20 08:51:51
Print Post

Re: VPN site to site connection speeds


[re: Woolwich] [link to this post]
 
In reply to a post by Woolwich:
Did I recently read ports for SSH should be below a certain number? 1024 perhaps?
Ports above 1024 are reserved by the operating system, so you will have to pick something above, that is not already in use. Use the netstat command to see what is in use.

20 years of broadband connectivity since 1999 trial - Live BQM

Edited by jchamier (Tue 23-Jun-20 08:52:05)

Standard User Woolwich
(committed) Tue 23-Jun-20 09:11:10
Print Post

Re: VPN site to site connection speeds


[re: jchamier] [link to this post]
 
In reply to a post by jchamier:
Ports above 1024

"below"?

Meanwhile maybe I'm confused and causing confusion.

I specifically want to run an rsync backup and allow an SFTP connection. The app for the SFTP defaults to port 22 so I assumed it needed SSH to be running. But I turned it off and it the SFTP still connects. I'll try and work out if it's the same for rsync. So I can just turn SSH off when I don't need it and when I do it will only be from within my LAN. No more scanners on port 22?

Thinks aloud. SSH = Secure Shell, SFTP = Secure File Transfer Protocol. Two different animals, live in different parts of the woods.
Standard User mrkevlh
(newbie) Tue 23-Jun-20 09:13:00
Print Post

Re: VPN site to site connection speeds


[re: Woolwich] [link to this post]
 
In reply to a post by Woolwich:
How can that work for an automated backup script or app? I set the app up to connect to port whatever using name and password. I think that's the limit of what it can do. Long and complex passwords? Or is that another myth? Non-standard usernames maybe?

Thanks again.


If you need to access remote SSH systems securely you don't use usernames and passwords. Instead you use strong SSH certs and disable password authentication.
Standard User jchamier
(eat-sleep-adslguide) Tue 23-Jun-20 10:37:29
Print Post

Re: VPN site to site connection speeds


[re: Woolwich] [link to this post]
 
In reply to a post by Woolwich:
"below"?
Apologies yes !

SFTP is a relation to SSH, so depending how you've disabled SSH, you may need to check your SSHD config.

20 years of broadband connectivity since 1999 trial - Live BQM
Standard User Woolwich
(committed) Tue 23-Jun-20 10:45:56
Print Post

Re: VPN site to site connection speeds


[re: jchamier] [link to this post]
 
In reply to a post by jchamier:
depending how you've disabled SSH, you may need to check your SSHD config.


Well, er, its all GUI for me so to check my SSHD config (after a trip around the google) I'd have to enable SSH in order to access the Terminal. <- That may or may not expose my level of ignorance...

Anyways, SSH is "off". My backup app can connect using SFTP on port 22. I can also do another backup using rsync, also on port 22. So that all seems fine to me. But I can change the port number if that's recommended. I think.
Standard User mrkevlh
(newbie) Tue 23-Jun-20 11:10:31
Print Post

Re: VPN site to site connection speeds


[re: Woolwich] [link to this post]
 
In reply to a post by Woolwich:
In reply to a post by jchamier:
depending how you've disabled SSH, you may need to check your SSHD config.


Well, er, its all GUI for me so to check my SSHD config (after a trip around the google) I'd have to enable SSH in order to access the Terminal. <- That may or may not expose my level of ignorance...

Anyways, SSH is "off". My backup app can connect using SFTP on port 22. I can also do another backup using rsync, also on port 22. So that all seems fine to me. But I can change the port number if that's recommended. I think.


Unless the system is very old, the sftp process is part of ssh. There shouldn't be any reason not to use ssh certs for access and disable password authentication to keep it secure.
Standard User jabuzzard
(committed) Tue 23-Jun-20 13:25:25
Print Post

Re: VPN site to site connection speeds


[re: mrkevlh] [link to this post]
 
In reply to a post by mrkevlh:
In reply to a post by Woolwich:
How can that work for an automated backup script or app? I set the app up to connect to port whatever using name and password. I think that's the limit of what it can do. Long and complex passwords? Or is that another myth? Non-standard usernames maybe?

Thanks again.


If you need to access remote SSH systems securely you don't use usernames and passwords. Instead you use strong SSH certs and disable password authentication.


Really, you want to explain that to the EPCC, Tu-Dresden and Leibniz Supercomputing Centre and a good few others.

The problem with SSH keys is you have no way of knowing if the private key has been secured with a passphrase. Turns out that lots of users don't actually secure them with a passphrase and hackers where able to use this to hop from HPC to HPC system across Europe.

Even if they are secured with a passphrase they are no more secure than the passphrase used to secure them, which is likely to be the same as an existing password.

If you believe SSH keys are more secure than usernames and passwords then frankly you are an uniformed idiot.
Standard User jabuzzard
(committed) Tue 23-Jun-20 13:28:16
Print Post

Re: VPN site to site connection speeds


[re: mrkevlh] [link to this post]
 
In reply to a post by mrkevlh:
Unless the system is very old, the sftp process is part of ssh. There shouldn't be any reason not to use ssh certs for access and disable password authentication to keep it secure.


Yes there is SSH certs are a panacea for the clueless and uniformed who have no actual experience in running secure systems. There is nothing wrong with password authentication, they are in fact *MORE* secure than SSH keys.
Standard User jabuzzard
(committed) Tue 23-Jun-20 13:54:12
Print Post

Re: VPN site to site connection speeds


[re: caffn8me] [link to this post]
 
In reply to a post by caffn8me:
Opening up SSH to the outside world is obviously a security risk as some folks have recently discovered.


There are many things going on here and without context this is disingenuous. My day job is running an High Performance Computer (HPC) or supercomputer to the layman. I have been running public facing servers now for over 25 years and never had a machine of mine compromised.

Firstly HPC sites like ARCHER run by the EPCC, have to make themselves available to remote login. To not do so would make them largely pointless.

Secondly EPCC have to some extent been hoisted by their own petard in this case. There is a lot of "tail wagging the dog" going on in account management IMHO at the EPCC. Basically if I have more than one project I have to have separate accounts because for each project because that makes it easier for EPCC to manage things and then each account has to have a different password. As you can imagine under such awkward conditions bad practice by the end user prevails.

In my case, appropriate firewall rules means allowing inbound access from specific IP addresses to these servers. All my servers run SSH but not all are accessible from any IP address.


For HPC sites this is basically impossible and anyway would not have helped the EPCC.

I do run some SSH servers accessible from everywhere (except for countries I've decided are rogue) and for these I run SSH on a non-standard port. I know people will say "but if people scan you they will find your SSH servers anyway" but that's highly unlikely.

Most SSH scans target port 22 and any IP address attempting to connect to me on this port gets autoblocked for a significant period of time. Also, a port
scan results in an automatic block for a long time.


And I have logs that show none standard SSH ports being found on never before used IP addresses within 36 hours. If you think that a none standard SSH port helps I have a slightly used bridge with only a few snapped cables and brand new truss end links to sell you.

If someone does find my SSH server by chance (which has never happened, and I've got the logs to prove it) then they get three attempts at the password before Fail2ban locks them out - again for a significant time. Even if they get the username and password correct, they still need to use multifactor authentication - which is tied to devices in my possession smile


Good idea, but this would not have helped the EPCC and multifactor authentication is not trivial to implement when you have hundreds of users. If you only have a handful or it's just yourself then MFA is pointless just pick a decent random password and don't write it down.

So what happened at the EPCC and other HPC sites across the UK and Europe back in April? One thing to bear in mind is that users of HPC machines often have accounts on multiple machines across countries and continents. Certainly the machine I look after has users with accounts on ARCHER, and other systems that where compromised including the ones in Munich and Dresden. These are sites that absolutely would be on your allow list of IP addresses. Saying use a VPN is impractical because an end user on one system does not get to setup a VPN to another system.

Well firstly an account belonging to a user in Poland (or at least a user account on a system in Poland) was compromised. The method for this compromise has not been published.

They where able to use this local access to gain root on the systems (more on this later). Once you have root on a system it is trivial to scan all the accounts looking for private SSH keys that have not been secured with a passphrase (which turns out to be lots). On the HPC system I run it takes under one second to scan just shy of 900 user accounts. You can then take a look at the users known_hosts file (if it is not hashed) to look for potential hosts to try those keys on. Note even if known_hosts is hashed I could just scan your Bash history file, it is also trivial to do. In a small amount of defence if your Google setting up SSH keys a lot of tutorials on the web tell you not to supply a passphrase for your private SSH key. This includes "trusted" sources like RedHat for crying out load.

Using this method the hackers (who where coming from IP addresses originating in China) where able to move from HPC system to system across Europe. They where not able to gain root on all systems which with the lack of new local privilege escalation vulnerabilities published in the last two months would indicate they where using a pre existing vulnerability that was not patched. HPC systems are notorious for not applying patches regularly for a range of reasons a good few of which revolve around patches changing the results of computations which screws up your research...

My guess is that https://nvd.nist.gov/vuln/detail/CVE-2019-18634 was the mechanism used for the local to root privilege escalation. It is the most likely candidate and the deafening silence when I have asked the sites effected is noticeable. I want to know is there a zero day I need to be worried about on my HPC site or is down to a lack of patching. Of course HPC sites don't want to admit to a lack of patching...

You might say well ban IP addresses in China or Russia from connecting to your system. The problem with that is we have users from those countries as students and researchers at our University who have accounts on our system for the research. At the moment a few of them are stuck back in their home countries due to COVID-19 lockdowns....

A good password that only exists in your head with a none standard account name (root, admin or a first name are all bad) something like ahd12935 is much better, combined with rate limiting connection attempts is way more secure than SSH keys. We have actually disabled SSH key based access because we cannot secure it. We have just had to [censored] a couple of users for sharing passwords....

The take away from all this is the HPC systems where hacked due to the stupidity of users over their handling of SSH keys which as an admin you have absolutely no way of checking up on and probably a lack of timely patching by admins.
Standard User mrkevlh
(learned) Tue 23-Jun-20 14:13:12
Print Post

Re: VPN site to site connection speeds


[re: jabuzzard] [link to this post]
 
In reply to a post by jabuzzard:
If you believe SSH keys are more secure than usernames and passwords then frankly you are an uniformed idiot.


Both mechanisms have their own pro and cons but I don't think it is very polite to be calling people idiots when someone has a different opinion to yours.
Standard User GonePostal
(committed) Tue 23-Jun-20 14:21:38
Print Post

Re: VPN site to site connection speeds


[re: mrkevlh] [link to this post]
 
Very apposite Dilbert cartoon today.

https://dilbert.com/strip/2020-06-23
Standard User jabuzzard
(committed) Tue 23-Jun-20 15:01:38
Print Post

Re: VPN site to site connection speeds


[re: mrkevlh] [link to this post]
 
In reply to a post by mrkevlh:
In reply to a post by jabuzzard:
If you believe SSH keys are more secure than usernames and passwords then frankly you are an uniformed idiot.


Both mechanisms have their own pro and cons but I don't think it is very polite to be calling people idiots when someone has a different opinion to yours.


When you respond down the line to a post that says look at the risks of SSH keys, these guys got hacked, by suggesting to switch to a method of authentication that was used in said hack you are by definition uninformed and an idiot. Don't want to be called those things don't comment on things you know nothing about...

Consequently this is nothing to do with opinion, it's all about facts. Fact ARCHER (and Cirrus and a number of other HPC systems in the UK and Europe) where hacked where the entry point was an SSH key. Not a password but an SSH key.

Your method of authentication turned out in the real world to be not as secure as you thought. In fact without SSH keys the hack would have been unlikely to happen.

Ultimately all an SSH key is, is a very long random password (about 300 characters) that is impossible to remember so to have any hope of being secure has to be secured with another much shorter password. However it turns out the much shorter password is optional and users being lazy don't bother with it in about 1/5th of cases. On my HPC system ~21% of all private SSH keys on my HPC system had no passphrase, over 890 accounts where about 126 had private SSH keys. I know scan for and delete such keys several times a day in true BOFH fashion.

So why are SSH keys allegedly more secure? Well attempting to guess them is a mugs game. However if you rate limit your failed login attempts this turns out to be moot point.

So on my system assuming you have managed to work out a valid username which you won't do because they all look something like cng23584 (they are in effect random) you have only 2592 guess every 24 hours, except the password in use has complexity rules enforced (it's authenticated of the Universities AD) so good luck on cracking it.

Meanwhile that private SSH key which you have no idea whether or not has a passphrase can be used to access your system, and you think that is more secure. Well more fool you.

if you want security two factor is the only way to go in general. With passwords in general being more secure than SSH keys in the real world.

Don't get me wrong, SSH keys have their place, and we use them in tightly controlled scenarios. However for remote access to a system they are a nightmare and insecure as hell.
Standard User caffn8me
(eat-sleep-adslguide) Tue 23-Jun-20 15:30:34
Print Post

Re: VPN site to site connection speeds


[re: jabuzzard] [link to this post]
 
In reply to a post by jabuzzard:
And I have logs that show none standard SSH ports being found on never before used IP addresses within 36 hours.
And?

Read and learn.

Sarah

--
If I can't drink my bowl of coffee three times daily, then in my torment, I will shrivel up like a piece of roast goat

Spiders on coffee - Badass spiders on drugs
Standard User caffn8me
(eat-sleep-adslguide) Tue 23-Jun-20 15:31:30
Print Post

Re: VPN site to site connection speeds


[re: Woolwich] [link to this post]
 
In reply to a post by Woolwich:
Why is it "highly" unlikely scanners will find that port? Do you recommend any (or a range)? Did I recently read ports for SSH should be below a certain number? 1024 perhaps? I've seen 2222 suggested in the past.
It's because my firewalls are configured to blacklist any IP address which attempts to connect to them on any port and interface address combination that isn't running an explicitly permitted service.

You can, for example, get to unrestricted web servers I run via ports 80 and 443 but if you try to telnet to those same IP addresses, you'll be locked out for a considerable time period, inlcuding from previously available services. The lockout is from all ports on all firewall interface addresses. A scanner attempting to connect has to wait for the lockout to expire before they can probe a second port. Given the number of ports to choose from and the lockout period, it will take somewhat more than ten years to scan all ports on a single interface on my firewall from a single IP address. Not all interfaces run SSH either.

Secondly, I monitor logs for failed connection attempts and where I see coordinated probes from specific address ranges I put a permanent block in place. Most probes I see are from Chinese and Russian controlled IP addresses - which may not be geographically located in China or Russia respectively.

Some firewalls support geolocation blocking and it's also possible to block specific countries using https://www.ipdeny.com/ block lists. If you don't need ssh access from China and Russia, I'd strongly suggest blocking ssh connections from these countries. There may be other countries you also consider to be rogue nations.

One thing which is very important is that you log all failed access attempts and you analyse all failures. In my case, if I get a failed login attempt via SSH on the correct open port, Fail2ban emails me immediately with details. I don't have email notifications of all failed attempts to closed ports because there are far too many, but I do review the logs regularly.

Don't use port 2222 because that's a commonly used ssh alternative and I see regular probes to this and other n22 ports. It will be found very quickly by scanners.
Even if they get the username and password correct, they still need to use multifactor authentication - which is tied to devices in my possession smile

How can that work for an automated backup script or app? I set the app up to connect to port whatever using name and password. I think that's the limit of what it can do. Long and complex passwords? Or is that another myth? Non-standard usernames maybe?
It's perfectly possible to use ssh keys for rsync securely. An ssh key is only insecure, with or without a password, if someone unauthorized gets hold of it. You need to stop that happening. You can't 'guess' a key but it can be very easy to guess a password such as 123ABCdef.

You can also restrict what a key is allowed to do. You can, for example, state that the key can only run rsync on the remote server and no other commands. Have a look at Rsync - via SSH with no password, utilizing SSH ForceCommand in the authorized_keys file to limit the commands that can be run with that SSH key for how to do that.

Sarah

--
If I can't drink my bowl of coffee three times daily, then in my torment, I will shrivel up like a piece of roast goat

Spiders on coffee - Badass spiders on drugs
Standard User jchamier
(eat-sleep-adslguide) Tue 23-Jun-20 15:38:14
Print Post

Re: VPN site to site connection speeds


[re: caffn8me] [link to this post]
 
In reply to a post by caffn8me:
It's because my firewalls are configured to blacklist any IP address which attempts to connect to them on any port and interface address combination that isn't running an explicitly permitted service.
Defence in depth, and an end to end security design. As is the other poster whom is using an external service for identity management, which has its own checks on password forcing. None of this is easy for a hobbyist at home, but is essential for anyone doing IT for commercial, on the cloud, or on premise.

20 years of broadband connectivity since 1999 trial - Live BQM
Standard User caffn8me
(eat-sleep-adslguide) Tue 23-Jun-20 15:49:49
Print Post

Re: VPN site to site connection speeds


[re: jabuzzard] [link to this post]
 
In reply to a post by jabuzzard:
Well firstly an account belonging to a user in Poland (or at least a user account on a system in Poland) was compromised. The method for this compromise has not been published.

They where able to use this local access to gain root on the systems (more on this later).
Once someone gains access to a local system and they can get ssh keys, it's pretty much game over, yes.

Obviously you are dealing with a system which needs to be accessed from unrestricted locations by large numbers of people and I accept that. I strongly suspect that isn't the case for the systems discussed in the OP's case so different mitigation strategies will be both suitable and effective. It doesn't make the strategies your system uses wrong, but it means they may not be appropriate in this situation. Please bear that in mind.

Sarah

--
If I can't drink my bowl of coffee three times daily, then in my torment, I will shrivel up like a piece of roast goat

Spiders on coffee - Badass spiders on drugs
Standard User caffn8me
(eat-sleep-adslguide) Tue 23-Jun-20 16:09:47
Print Post

Re: VPN site to site connection speeds


[re: Woolwich] [link to this post]
 
In reply to a post by Woolwich:
Do you recommend any (or a range)? Did I recently read ports for SSH should be below a certain number? 1024 perhaps? I've seen 2222 suggested in the past.
Pick a random port that doesn't run a popular service above 1024. You can check to see if a port is unassigned at https://www.adminsub.net/tcp-udp-port-finder/

Sarah

--
If I can't drink my bowl of coffee three times daily, then in my torment, I will shrivel up like a piece of roast goat

Spiders on coffee - Badass spiders on drugs
Standard User caffn8me
(eat-sleep-adslguide) Tue 23-Jun-20 17:38:37
Print Post

Re: VPN site to site connection speeds


[re: jchamier] [link to this post]
 
In reply to a post by jchamier:
Defence in depth, and an end to end security design. As is the other poster whom is using an external service for identity management, which has its own checks on password forcing. None of this is easy for a hobbyist at home, but is essential for anyone doing IT for commercial, on the cloud, or on premise.
I aim to please (or frustrate if you're not supposed to be allowed in) wink

Sarah

--
If I can't drink my bowl of coffee three times daily, then in my torment, I will shrivel up like a piece of roast goat

Spiders on coffee - Badass spiders on drugs
Standard User caffn8me
(eat-sleep-adslguide) Wed 24-Jun-20 10:58:57
Print Post

Re: VPN site to site connection speeds


[re: GonePostal] [link to this post]
 
In reply to a post by GonePostal:
Very apposite Dilbert cartoon today.

https://dilbert.com/strip/2020-06-23
laugh

The golden rule of telephone helplines is that the person at the other end of the line is an idiot.

This applies to both ends.

Sarah

--
If I can't drink my bowl of coffee three times daily, then in my torment, I will shrivel up like a piece of roast goat

Spiders on coffee - Badass spiders on drugs

Edited by caffn8me (Wed 24-Jun-20 11:05:40)

Standard User caffn8me
(eat-sleep-adslguide) Wed 24-Jun-20 11:07:53
Print Post

Re: VPN site to site connection speeds


[re: Woolwich] [link to this post]
 
In reply to a post by Woolwich:
In reply to a post by caffn8me:
Ubiquiti Edgerouter X can cope with much higher VPN throughputs and I will likely have one to play with next week. I'll let you know how I get on.
Yes please.
The EdgeRouter X has arrived and I'll be playing with it tomorrow smile

Sarah

--
If I can't drink my bowl of coffee three times daily, then in my torment, I will shrivel up like a piece of roast goat

Spiders on coffee - Badass spiders on drugs
Standard User prlzx
(experienced) Wed 24-Jun-20 12:13:50
Print Post

Re: VPN site to site connection speeds


[re: caffn8me] [link to this post]
 
Interested to hear how you get on!

I have an ER-X at home not as my main broadband router, but to isolate a remote working office network and participate in site-to-site VPN connections, and is using IPSec VTI with OSPF for dynamic routing.

My second job predominantly involved working from home even before current circumstances.

It's ok for my use case, ERPro-8 and ER-8-XG currently used for offices and higher capacity sites.



prlzx on Zen: FTTC (VDSL) at ~40Mbps / 10Mbps
with IP4/6 (no v6? - not true Internet)
Standard User dorotymcgee
(newbie) Thu 25-Jun-20 14:03:49
Print Post

Re: VPN site to site connection speeds


[re: Woolwich] [link to this post]
 
Which VPN works best in USA - ExpressVPN, NordVPN, or some other?
Standard User Woolwich
(committed) Thu 25-Jun-20 14:07:54
Print Post

Re: VPN site to site connection speeds


[re: dorotymcgee] [link to this post]
 
In reply to a post by dorotymcgee:
Which VPN works best in USA - ExpressVPN, NordVPN, or some other?

Sorry, dunno, I'm here, not there.
Standard User jabuzzard
(committed) Thu 25-Jun-20 14:40:26
Print Post

Re: VPN site to site connection speeds


[re: caffn8me] [link to this post]
 
In reply to a post by caffn8me:
It's because my firewalls are configured to blacklist any IP address which attempts to connect to them on any port and interface address combination that isn't running an explicitly permitted service.


Hah, now watch when they connect from multiple IP addresses for the scan...

Now it might of course be because an HPC site at a UK university is a high profile target that warrants extra special measures when scouting out.

However none standard port numbers in testing where a waste of time. The other option would be port knocking, but that is way too complicated for much of the user base and would not work with the graphical desktop offering.
Standard User dorotymcgee
(newbie) Fri 26-Jun-20 15:35:55
Print Post

Re: VPN site to site connection speeds


[re: dorotymcgee] [link to this post]
 
In reply to a post by dorotymcgee:
Which VPN works best in UK - ExpressVPN, NordVPN, or some other?

Thanks!
Pages in this thread: 1 | 2 | 3 | 4 | 5 | (show all)   Print Thread

Jump to