Security

Chearful · Jan 30, 2016

https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-fail2ban-on-ubuntu-14-04

Shattered · Jan 30, 2016

Chearful said:
https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-fail2ban-on-ubuntu-14-04

Do you know how to set that up?
I am not too good with linux.

Chearful · Jan 30, 2016

Follow the tutorial.

Rog · Jan 30, 2016

Shattered said:
Anyone know how to prevent a machine from being brute forced?

Oh... I can help. You'll need to block a few IPs after 3-6 logins though, just to ensure maximum security. PM me if interested.

Justin · Jan 31, 2016

You really need Fail2Ban but I also recommend blocking root login by SSH (or use SSH keys) and changing the SSH port.

EncryptedPixel · Jan 31, 2016

The best way is using SSH keys, it's like a padlock and the SSH keys are the key - Only you can open it if you have the SSH key. If you need help setting up SSH keys than add me on skype: nexushd_
I use SSH key all on my machines as I have a lot of experience of been hacked and I've found this to be the best way of preventing brute force from taking place.

Fail2Ban is also a good method is you want extra security on top of SSH keys. Changing the SSH port isn't really necessary if you have these in place and the SSH port can be easily found in some cases.

Rog · Jan 31, 2016

EncryptedPixel said:
The best way is using SSH keys, it's like a padlock and the SSH keys are the key - Only you can open it if you have the SSH key. If you need help setting up SSH keys than add me on skype: nexushd_
I use SSH key all on my machines as I have a lot of experience of been hacked and I've found this to be the best way of preventing brute force from taking place.

Fail2Ban is also a good method is you want extra security on top of SSH keys. Changing the SSH port isn't really necessary if you have these in place and the SSH port can be easily found in some cases.

Or, you know, just edit the /etc/ssh/sshd_config file to only his IP being able to join.

EncryptedPixel · Jan 31, 2016

Rog said:
Or, you know, just edit the /etc/ssh/sshd_config file to only his IP being able to join.

But there is such thing as a VPN which can change your IP

Rog · Jan 31, 2016

EncryptedPixel said:
But there is such thing as a VPN which can change your IP

You didn't get what I was saying.

There is a configuration file, this file is at the path: /etc/ssh/sshd_config - Now, to access and edit the file, you can use any editor. Nano, Vim, etc. I, myself, like nano.

So, I would type in: "nano /etc/ssh/sshd_config" - then I will edit root and put root@myIP

This'll make it so only my IP can login to root.

Ajdin · Feb 1, 2016

I use SSH keys, restrict login by IP, use sentences as passwords and change SH port.

Rog · Feb 1, 2016

BeBosny said:
I use SSH keys, restrict login by IP, use sentences as passwords and change SH port.

SSH keys are pointless. Just use a SHA-256 or MD5 Salted hash as a password, like I do on my servers.

YosemiteOG · Feb 3, 2016

Arc said:
Let me put your message in detail:

"Using a key file that restricts your server to your specific PC with password auth disabled, and using IP restrictions to restrict the dedicated server/Virtual private server to your specific PC so no one can login to it except your PC, but doing it just in case someone somehow comes to your house and gets it via USB, is pointless, let me use a password that can easily be obtained via sent email, or skype, or even saved inside of the .bash_history. (like 50% of tards who first start using a dedi/vps happen to somehow screw up)"

Smart logic there, Shakespeare.

And before you say "Well all of it can be defeated via a RAT", if someone is stupid enough, or inconvenient enough to somehow get ratted, and their stuff screwed over, then that sounds like a personal problem they need to work on.

Thank you for reading.

ur welcome

Rog · Feb 3, 2016

Arc said:
Let me put your message in detail:

"Using a key file that restricts your server to your specific PC with password auth disabled, and using IP restrictions to restrict the dedicated server/Virtual private server to your specific PC so no one can login to it except your PC, but doing it just in case someone somehow comes to your house and gets it via USB, is pointless, let me use a password that can easily be obtained via sent email, or skype, or even saved inside of the .bash_history. (like 50% of tards who first start using a dedi/vps happen to somehow screw up)"

Smart logic there, Shakespeare.

And before you say "Well all of it can be defeated via a RAT", if someone is stupid enough, or inconvenient enough to somehow get ratted, and their stuff screwed over, then that sounds like a personal problem they need to work on.

Thank you for reading.

Seems like you have some deep autism there. You should always use a different password. Emails, Social Media, Servers, etc passwords should be different. And, IP restrictions to root priveledge isn't a stupid thing? You should only login to your server via your IP address. Why would your password be in .bash_history anyways? You'd need a user to login too to see the history anyways. Either way, your point is stupid.

YosemiteOG · Feb 3, 2016

Rog said:
Seems like you have some deep autism there. You should always use a different password. Emails, Social Media, Servers, etc passwords should be different. And, IP restrictions to root priveledge isn't a stupid thing? You should only login to your server via your IP address. Why would your password be in .bash_history anyways? You'd need a user to login too to see the history anyways. Either way, your point is stupid.

OH SHIT MAN YOU GOT HIM!!!
couch to you

Rog · Feb 3, 2016

YaBoiAce said:
OH SHIT MAN YOU GOT HIM!!!
couch to you

Yes.

Ajdin · Feb 3, 2016

Rog said:
SSH keys are pointless.

This made me chuckle.
I'm pretty sure any serious business/infrastructure uses SSH keys. If they don't, they should.

I honestly didn't ever expect to hold a argument like this because any somewhat experienced Linux user knows that SSH keys are much safer than SSH passwords.

Here's why:

Bots. No matter what port, IP, etc you use, you'll always be a victim of bots trying to bruteforce your server if your SSH service is accessible publicly. Let's also keep in mind, this fills up your SSH log file. Believe it or not, I had a client his VPS crash because it got out of storage due to its ssh log file.
When you use an SSH key, your private key remains on the client side, and no secret phrase is shared. This beats any encryption method as it completely blocks out MIM attacks.

Rog · Feb 3, 2016

BeBosny said:
This made me chuckle.
I'm pretty sure any serious business/infrastructure uses SSH keys. If they don't, they should.

I honestly didn't ever expect to hold a argument like this because any somewhat experienced Linux user knows that SSH keys are much safer than SSH passwords.

Here's why:

Bots. No matter what port, IP, etc you use, you'll always be a victim of bots trying to bruteforce your server if your SSH service is accessible publicly. Let's also keep in mind, this fills up your SSH log file. Believe it or not, I had a client his VPS crash because it got out of storage due to its ssh log file.

When you use an SSH key, your private key remains on the client side, and no secret phrase is shared. This beats any encryption method as it completely blocks out MIM attacks.

And this is why IP Restrictions come in handy, which entirely backs me up. Thanks again, Bosny. And, we can easily make a script to delete the SSH log file every 1 minute - every 5?

Security

Shattered

old-timer

Chearful

thomas.gg

Shattered

old-timer

Chearful

thomas.gg

Rog

Justin

EncryptedPixel

Rog

EncryptedPixel

Rog

Ajdin

I used to be a big deal on here but now irrelevant

Rog

YosemiteOG

Rog

YosemiteOG

Rog

Ajdin

I used to be a big deal on here but now irrelevant

Rog