|
|
It's because my firewalls are configured to blacklist any IP address which attempts to connect to them on any port and interface address combination that isn't running an explicitly permitted service. Defence in depth, and an end to end security design. As is the other poster whom is using an external service for identity management, which has its own checks on password forcing. None of this is easy for a hobbyist at home, but is essential for anyone doing IT for commercial, on the cloud, or on premise.
20 years of broadband connectivity since 1999 trial - Live BQM
|
|
|
Well firstly an account belonging to a user in Poland (or at least a user account on a system in Poland) was compromised. The method for this compromise has not been published.
They where able to use this local access to gain root on the systems (more on this later). Once someone gains access to a local system and they can get ssh keys, it's pretty much game over, yes.
Obviously you are dealing with a system which needs to be accessed from unrestricted locations by large numbers of people and I accept that. I strongly suspect that isn't the case for the systems discussed in the OP's case so different mitigation strategies will be both suitable and effective. It doesn't make the strategies your system uses wrong, but it means they may not be appropriate in this situation. Please bear that in mind.
|
|
|
Do you recommend any (or a range)? Did I recently read ports for SSH should be below a certain number? 1024 perhaps? I've seen 2222 suggested in the past. Pick a random port that doesn't run a popular service above 1024. You can check to see if a port is unassigned at https://www.adminsub.net/tcp-udp-port-finder/
|
|
Register (or login) on our website and you will not see this ad.
|
|
|
Defence in depth, and an end to end security design. As is the other poster whom is using an external service for identity management, which has its own checks on password forcing. None of this is easy for a hobbyist at home, but is essential for anyone doing IT for commercial, on the cloud, or on premise. I aim to please (or frustrate if you're not supposed to be allowed in)
|
|
|
Very apposite Dilbert cartoon today.
https://dilbert.com/strip/2020-06-23
The golden rule of telephone helplines is that the person at the other end of the line is an idiot.
This applies to both ends.
Edited by caffn8me (Wed 24-Jun-20 11:05:40)
|
|
|
Ubiquiti Edgerouter X can cope with much higher VPN throughputs and I will likely have one to play with next week. I'll let you know how I get on. Yes please.
The EdgeRouter X has arrived and I'll be playing with it tomorrow
|
|
|
Interested to hear how you get on!
I have an ER-X at home not as my main broadband router, but to isolate a remote working office network and participate in site-to-site VPN connections, and is using IPSec VTI with OSPF for dynamic routing.
My second job predominantly involved working from home even before current circumstances.
It's ok for my use case, ERPro-8 and ER-8-XG currently used for offices and higher capacity sites.
prlzx on Zen: FTTC (VDSL) at ~40Mbps / 10Mbps
with IP4/6 (no v6? - not true Internet)
|
|
|
|
Which VPN works best in USA - ExpressVPN, NordVPN, or some other?
|
|
|
Which VPN works best in USA - ExpressVPN, NordVPN, or some other?
Sorry, dunno, I'm here, not there.
|
|
|
It's because my firewalls are configured to blacklist any IP address which attempts to connect to them on any port and interface address combination that isn't running an explicitly permitted service.
Hah, now watch when they connect from multiple IP addresses for the scan...
Now it might of course be because an HPC site at a UK university is a high profile target that warrants extra special measures when scouting out.
However none standard port numbers in testing where a waste of time. The other option would be port knocking, but that is way too complicated for much of the user base and would not work with the graphical desktop offering.
|