As someone who works in IT for a large hosting company i have to disagree with the very first statement of switching the SSH port. Setting up honeypots to test such things revealed things to me personally in that regard. While it may not prevent from targeted attacks it helps massively to reduce automated SSH attacks on your machine. If the port 22 is not open bots often have troubles to target your machine and you will see a drastic decrease in unauthorized login attempts. Using Fail2Ban or Denyhosts in addition to that then brings automated attacks to a bare minimum in a very short time. Furthermore if you use a port that belongs to another known service that is not running on that machine it helps as well. Also, when do you actually have to type your ssh port? only on machines that you do not own where you probably should not login from in the first place. So yeah it may not be the most secure thing to do but it already helps a lot.
I'm always thinking that people stating that point have never deployed a service, beyond maybe their little personal project with 1000 users/month. Fail2Ban is good and all, but seriously, my machines have data to serve. I very much appreciate not having to deal with the load of fail2banning all these bots. Wondering about whether people don't know about .ssh/config, too. Changing ports is a hassle? What? 😄
1:11 would partly disagree about changing the SSH port. Yes, it won't hold back any bad actor targeting your system specifically but it will help against bots that scan for open SSH ports on the internet. So while it isn't a strong security measure, it can be helpful against more broad attacks.
It all depends on your definition of a security measure, imo, it's not one because whether or not you have a machine with default root account all you are doing is increase the amount of time it'll take to exploit it, kind of like security by obscurity which no one reputable recognizes as an actual security measure
yea everything he said was wrong there. No you don't need to specify port every time you connect.. use a config file and it is of great benefit because it never gets scanned. I've had it on an alt port for 20 years and it still hasn't been scanned. This allows EVERY SINGLE CONNECTION ATTEMPT that happens to be able to be texted to me so I know everything that happens. The alternative is thousands of texts because auto china/russia bots will spam scan port 22 all day Also big benefit to fail2ban, not having to do anything > having to block 1000 people per day
Even if you switch SSH port, you can still use the default as a honeypot (bot trap). Then anyone/anything that comes knocking on the default port gets an entry on the ban list. The default SSH and SMB ports seem to be the best candidates for honeypots that help in early identification of those pesky net-blocks.
Changing SSH port is one of the first things I do, like you said it filters out 99% of bruteforce attacks, how can this not be considered a security measure? This in combination with fail2ban banning people who aggressively do portscans on your server is enough to get to 100% for me.
That's what fail2ban is for. First try, second try, third try, fourth and off to the blacklist with your IP. We have a nice script that automates some fun statistics, like where it came from and whatnot. We even found the IP of a fairly large game developer in there; they either have a compromised server or, more likely, smart toaster or some user's device that became a nice host for a bot.
I've always wanted to setup port knocking, sounds by far the best way to secure network access to a server, and is also just super cool. But then I always just setup ssh like normal, and wish the attackers the best of luck.
I'd also like to point out PAM-2FA, amongst others, which can be used to mandate time-based OTPs or Yubikeys, etc., as second-factor authentication sources in SSHD as well as for console logins. Generally not too hard to bolt on to any system that uses PAM.
In a company a good option would be to use certificate based ssh. This way leaked or old keys aren't a problem as they are only valid for a day. In this way you also don't have to put everyone's public key to the machines. Something like smallsteps step-ca would be the solution
Also, if seized, sure, but most companies enforce encryption on their devices... so, even if the device is lost or stolen, it probably won't cause real damage. EVEN if someone is just using SSH keys without passwords or not using certificates.
One-day certs are good if you have a way to automatize process of resigning and distributing certificates to your clients, which requires 24/7 access to your CA. But if you already have that, more simpler solution will be do all connections through bastion machine and isolate your infrastructure that way so you can connect to it only through bastion.
thanks for all that you do mental outlaw, so glad there are some genuine souls out there cutting through as much cruft as they can, and getting us to the meat of things in the shortest time possible, i gotta get better at this myself, cheers mate!
I just recently put a new server on, and within a week there was about 50000 login attempts with all kinds of default accounts. I changed the port number, and now week later there seems to be only 1 such case.. I don't know but it seems to me that it's better and maybe statistically more secure that there is only 1 "hacking attempt" versus 50000 bots are trying everything around the clock
Seconded, I myself haven't even gotten a single unsolicited login attempt in almost 2 months. Though the disadvantage of doing this is that certain networks block everything but standard port numbers, so you may be unable to connect to your server without VPNing in first.
Honestly, these days I use a yubikey. At one point I didn't care for them because I thought they were just emulated keyboards typing OTPs, but once I realized I could use their FIDO function to store an SSH key I was on board.
The thing with Fail2ban/sshguard and/or non-standard ports is not so much about security but network traffic too. The first server I set up was on a home machine with limited bandwidth. I had pw authentication and root logic disabled and all, but the volume of connection attempts from Chinese bots was so huge that I almost could not connect. Of course the bots would never be able to break in but they were crippling my connection.
Meh, if you have a public hosted server, there is CONSTANTLY bots trying to connect via ssh. It's a good idea to change to a different port just so their job isn't easy.
Love your videos, you are very informative. Would love to se more guides from you from a technical aspect. Everything from servers to harden it and what not.
That’s the point. It’s an “advertisement” for a (most definitely) less secure service that looks like an article. The classic “(click)bait and switch” tactic. I wouldn’t be surprised if the person who wrote that article created or has involvement with BastionZero, like he’s on the board, or has invested in the company.
I watch a lot of techie channels that tell me what I should use, but you’re one of the only ones that is very thorough with your videos, and are actually telling me what to use, what not to use, and why. So I have a question for you. What do you think about a fellow privacy/tech TH-camr Rob Braxman, and his products like the vpn service and router? It would be interesting to hear what you think about it, and if you think it would be trustworthy or something like the anon phone type thing.
Using just an SSH key to login and no password would actually be safe in most circumstances. The key is either encrypted with a passphrase or stored in your OS's keystore. A thief would have a hard time using the key even if they do steal your laptop.
Well my SSH setup is set to not be reachable from the outside at all, so how do I remote in when I need to on the go? I use my own VPN setup to achieve this, while you can knock on the server and find the OpenVPN server that runs, to gain access you need a signed certificate by the server for said client, a password and username. As an added measure I keep my usernames, passwords and certificates per device, meaning if I lose my phone, laptop or whatever, I can quickly invalidate the certificate, making any login attempt null and void. The SSH servers on the inside though, do allow password and root logins, as the internal traffic quite often requires that, so they aren't hardened at all.
@@TarsteelPCGaming Some of these boxes aren't supposed to give you root access due to their "appliance" nature. But I did view it like... What threat can try to log in to the root account, as the only access to that side of the network is inside my 4 walls and it is in a home scenario. So if you are in my house, I have bigger issues than my root account, the other option is you compromise my PFSense box, and that is an even bigger cause for concern. But yes, my internal network has a few interesting "Holes" such as my switch has the password of "password", but to access that one you have to plug in physically and set the correct manual IP to gain access.
I used to set up administrative ports on odd numbers. While it did reduce logs, it added chores for setting up, documenting guides and upgrading. Since I'm a one-man department it wasn't worth the effort. I went back to defaults after upgrade.
6. If you lose your ssh key administrator can revoke key. If you are the admin and lose ssh key just shutdown machine, open virtual console and use rd.break or other solution to break, setup password. Then you can do anything anything through emergency mode.
At first, I felt that it was not a good idea to show his name and other stuff. But since he was promoting this shtass service then he deserves it. Great content as always.
I disagree with point 1. Yes, any script kiddie with Nmap will be able to find the SSH port, but at least my firewall will be able to detect the suspicious packet load and stop some of the requests... Besides, some script kiddies scan the entire internet for port 22 to find servers with SSH open... I personally have my SSH on a non-standard port and, well, it helps me sleep easier at night knowing attempting to SSH will just refuse the connection unless you KNOW the port, thus its just about as secure as placing a paperclip inside my front door to prevent lockpicking.
5:07 you'd be suprised at this. SWIM worked as a car repo person, and after they quit their login to search person's car off name, and name off license plate WORKED. Like, indefinitely. He stopped using it when he advanced from Windows XP.
I use wireguard to connect to my LAN and use SSH over it. Nobody brute forcing it and I get some security on mobıle networks and hotspots. Works wonders for SMB on Android 12 too
To be fair management at entreprise level of ssh key can be a bit hard to do by hand but I think amazon as it's way to deal with that, because it allows you to identify to containers via their script, I don't know for EC2 but in any case an "easy" compatible with OpenSSH client is a custom ssh-agent, which does automaticaly manage ssh keys and permission, might not be perfect, because the key your are using can be leaked, but at least it enable you to interface with the OpenSSH client with just a bit of work (launching the program which might ask your credentials, and adding the corresponding environment variable), and has some mentionned couple this with SSH certificate with short duration and you are good to go, and would be way easier to make software compatible with them as it is standard (ex: git)
I use port knocking. I know that it's sec through obs and can be sniffed out, but I'm honestly comfy with that. The chances of being logged on my wifi and somehow getting my key and passphrase, at that point I deserve to be hacked.
Abount number 4. If user has ssh access and they are in sudoers. Then it is possible to create new "secret" user and have it's keys, even after being fired.
5:50 Do cosmic rays also affect HDDs, or just flash/solid state memory? Anyways, I thought HDDs used error correction codes, so it is going to be a lot easier for the entire hard drive to fail before any sufficient number of bit flips happen.
FYI you can password protect your bitcoin seed phrase with a bip-39 passphrase (25th word)
2 ปีที่แล้ว
Disabling root doesn't do much either. If you have strong authentication via keys it can't be broken anyway and if the attacker can compromise the account used for administration there are multiple ways to escalate privileges.
Would you please do a video on VPN with ssh and ipv4 filtering on WiFi. I know each of those individually but totally flew over my head bundled together lol is the ssh end to end outside of the VPN or is the VPN tunnel encrypting the ssh encrypted packets too or separately via their respective ports? Then is ipv4 filter wrapping around or inside of the VPN tunnel and the ssh connection or just one of them? Or both? Does the WiFi network's security affect the encrypted VPN / ssh connection or would they still have to man-in-the-middle traffic to snoop packets?
Lol South Park made an episode about this a few years back. "News" is advertising now. Journalists are literally writing articles based around the idea of selling a product or service to solve some sort of artificially manufactured issue,
5) if your keys get destroyed on the laptop, just remove the corrupt key from the ssh_keys file on your laptop, and try to connect again, the client will ask you to save the key again... using decent passwords should be more than safe enough, surely if you restrict access to only certain vlan's or ip ranges from the network (so that you have to use a vpn) I even have one world-readable ssh server and in the 6 years it's been online and the many password-hack attempts the scriptkiddies use, it's never even had the correct username trying to log in, let alone they find the password to one of the accounts... decent usernames are also important, if you use 'administrator' or admin as username you're just asking to get hacked, then again if you use 'my-nickname-admin' that's a whole different story, especially if you don't use that 'admin' account anywhere else on the net (so they can't fish it out when they hack some big website's user database)
Changing default ssh port on IP of my home network removed brute force attempts completely. Will not wok on some server hosting some service as those are more valuable to scan.
You should make or like a video about different ways of making ssh keys. I use putty gen that comes when install putty on windows but maybe I should use something else.
I dunno, security thru obscurity such as port knocking and changing default port would still mitigate attack from most bots I would imagine. That's gotta count for something or not.
If you sleep better with changing the port of ssh, you are sleeping better with a false sense of security, and you probably aren't securing your server properly.
Changing port massively reduces the number of nonsense logs generated by bots. This makes actual attacks more visible and easier to detect. Other things to be done are disabling root ssh access and user, and disable password login. If you need extra security, disable external access and use VPN for additional security. With VPN, changing port is less needed.
Password-protected SSH keys getting stolen is not a problem at all, i think. In order to brute-force the password, you need to connect to the actual owner's SSH server to tell you if password was correct (if decryption was correct). So it's not like you can just grind the password in the offline, like you can do with password hashes, for example. This is the kind of security I really wish was everywhere, not just SSH.
Why do you need to connect? (And it is not true, it can be proven without a server to connect to (at least when you have the pub key, but I think also without))
@@schwingedeshaehers You need to connect to the SSH server in order to know if the key was decrypted correctly. There is no way of knowing that decryption went successfully locally. SSH key is just a bunch of bytes, there is no structures to look for when decrypting, only server can tell you if the key matches. That means that you need to connect to the server every brute-force iteration to know if it was successful. If you server has fail2ban installed - 3 wrong keys and you are blocked for an hour
@@Deniil2000 than you can explain me, why may setup works? the first time i start e shell, i am asks for the passphrase of the key. if i enter a wrong one, it is rejected. how does that work without a server connection?
@@schwingedeshaehers Just tested it on my side and yes, it somehow knows if password was correct or not without asking the server. Looks like i'm wrong
This is why i think about run my own website... a lot of this "john good advice" is basically "here is a problem... bkah blah blah... and here is software i AD to you ... this is solution". Its nightmare, and its even worse than adversing VPN
Problem: SSH has mitigable security issues.
Solution: Trust an unknown cloud service to monitor all of your connections.
throw in blockchain-nft-cloud-quantumn-serverless-security and you got yourself a deal
As someone who works in IT for a large hosting company i have to disagree with the very first statement of switching the SSH port.
Setting up honeypots to test such things revealed things to me personally in that regard.
While it may not prevent from targeted attacks it helps massively to reduce automated SSH attacks on your machine.
If the port 22 is not open bots often have troubles to target your machine and you will see a drastic decrease in unauthorized login attempts.
Using Fail2Ban or Denyhosts in addition to that then brings automated attacks to a bare minimum in a very short time.
Furthermore if you use a port that belongs to another known service that is not running on that machine it helps as well.
Also, when do you actually have to type your ssh port? only on machines that you do not own where you probably should not login from in the first place.
So yeah it may not be the most secure thing to do but it already helps a lot.
I'm always thinking that people stating that point have never deployed a service, beyond maybe their little personal project with 1000 users/month.
Fail2Ban is good and all, but seriously, my machines have data to serve. I very much appreciate not having to deal with the load of fail2banning all these bots.
Wondering about whether people don't know about .ssh/config, too. Changing ports is a hassle? What? 😄
1:11 would partly disagree about changing the SSH port. Yes, it won't hold back any bad actor targeting your system specifically but it will help against bots that scan for open SSH ports on the internet. So while it isn't a strong security measure, it can be helpful against more broad attacks.
Yeah and if you have say fail2ban or something else and they will likely just get blocked
It all depends on your definition of a security measure, imo, it's not one because whether or not you have a machine with default root account all you are doing is increase the amount of time it'll take to exploit it, kind of like security by obscurity which no one reputable recognizes as an actual security measure
yea everything he said was wrong there. No you don't need to specify port every time you connect.. use a config file
and it is of great benefit because it never gets scanned. I've had it on an alt port for 20 years and it still hasn't been scanned. This allows EVERY SINGLE CONNECTION ATTEMPT that happens to be able to be texted to me so I know everything that happens. The alternative is thousands of texts because auto china/russia bots will spam scan port 22 all day
Also big benefit to fail2ban, not having to do anything > having to block 1000 people per day
Opens up the port for a tar pit as well :^)
but if you need to be connected to their vpn to access it its a non problem
Even if you switch SSH port, you can still use the default as a honeypot (bot trap). Then anyone/anything that comes knocking on the default port gets an entry on the ban list. The default SSH and SMB ports seem to be the best candidates for honeypots that help in early identification of those pesky net-blocks.
"hmm security... i trust the abstraction of a brand more" thanks excellent content as always bro
Changing your port number just reduces the noise (bots trying to brute force root's/test's password). Just keeps the logs shorter.
Changing SSH port is one of the first things I do, like you said it filters out 99% of bruteforce attacks, how can this not be considered a security measure? This in combination with fail2ban banning people who aggressively do portscans on your server is enough to get to 100% for me.
That's what fail2ban is for. First try, second try, third try, fourth and off to the blacklist with your IP. We have a nice script that automates some fun statistics, like where it came from and whatnot. We even found the IP of a fairly large game developer in there; they either have a compromised server or, more likely, smart toaster or some user's device that became a nice host for a bot.
@Dr. Jenna Tolls it does at least cut out on the dumbest bots
@Dr. Jenna Tolls It's about the logs! It's not about keeping a dedicated attacker out. ...It's like locking a glass door.
@whaaa t Kenny, they found a new way of spamming on your channel... what a losers!
I've always wanted to setup port knocking, sounds by far the best way to secure network access to a server, and is also just super cool. But then I always just setup ssh like normal, and wish the attackers the best of luck.
I've only heard it talked about theoretically. I've never seen it used in practice before.
real sysadmins memorize their ssh keys. stay hardcore
or use HW keys and have backups
It's not eve a joke
@@MoradorDeCalcada after seeing the same keys for the 90000th time you just remember them
@@aqyx they are like 30 characters
People with memory problems not an option. Might suggest black light tattoo ink lol
As well as all your other Linux related videos, this one was an absolute blessing of a video.
I'd also like to point out PAM-2FA, amongst others, which can be used to mandate time-based OTPs or Yubikeys, etc., as second-factor authentication sources in SSHD as well as for console logins. Generally not too hard to bolt on to any system that uses PAM.
Why does a system need to use a cooking spray?
@@PshNesk To keep users from getting stuck and burnt-out during auth.
easy to implement, and make entry of TOTP happen fitst before creds.... If you don't restrict source IPs, add fail2ban also...
My sysadmin got a yubikey and he told us that the thing required an internet connection to work. Is this true? Considering getting a keym
In a company a good option would be to use certificate based ssh. This way leaked or old keys aren't a problem as they are only valid for a day. In this way you also don't have to put everyone's public key to the machines. Something like smallsteps step-ca would be the solution
Also, if seized, sure, but most companies enforce encryption on their devices... so, even if the device is lost or stolen, it probably won't cause real damage. EVEN if someone is just using SSH keys without passwords or not using certificates.
One-day certs are good if you have a way to automatize process of resigning and distributing certificates to your clients, which requires 24/7 access to your CA. But if you already have that, more simpler solution will be do all connections through bastion machine and isolate your infrastructure that way so you can connect to it only through bastion.
For point 7 you can attach the EBS volume to another EC2 instance and add your keys that way to regain access.
thanks for all that you do mental outlaw, so glad there are some genuine souls out there cutting through as much cruft as they can, and getting us to the meat of things in the shortest time possible, i gotta get better at this myself, cheers mate!
I just recently put a new server on, and within a week there was about 50000 login attempts with all kinds of default accounts. I changed the port number, and now week later there seems to be only 1 such case.. I don't know but it seems to me that it's better and maybe statistically more secure that there is only 1 "hacking attempt" versus 50000 bots are trying everything around the clock
Seconded, I myself haven't even gotten a single unsolicited login attempt in almost 2 months. Though the disadvantage of doing this is that certain networks block everything but standard port numbers, so you may be unable to connect to your server without VPNing in first.
This got my sshd so effing hard. Thanks brah
Changing SSH port to 80 or 443 allows me to access the machine from various ill-configured networks, so it IS useful.
Honestly, these days I use a yubikey. At one point I didn't care for them because I thought they were just emulated keyboards typing OTPs, but once I realized I could use their FIDO function to store an SSH key I was on board.
youtube was really quick recommending me this
Journalist: *Uses Harden*
But it fails
Journalist uses BRAIN!
...But it failed!
@@hehe42069-k Journalist hurts his career in his confusion!
@Rlaziken its very effective!
My ssh is literally diamonds rn
The thing with Fail2ban/sshguard and/or non-standard ports is not so much about security but network traffic too. The first server I set up was on a home machine with limited bandwidth. I had pw authentication and root logic disabled and all, but the volume of connection attempts from Chinese bots was so huge that I almost could not connect. Of course the bots would never be able to break in but they were crippling my connection.
Meh, if you have a public hosted server, there is CONSTANTLY bots trying to connect via ssh. It's a good idea to change to a different port just so their job isn't easy.
Or just don't have it exposed to the internet
Will stop 99% of hacks it's far more effective than a port change
@@jacksoncremean1664 Hard to do when you are hosted on AWS or Google Cloud.
@@milohoffman274 firewall or vpn
its just basic bruteforcing though, if you just use any password that isnt 1234 or admin ur fine
Love your videos, you are very informative. Would love to se more guides from you from a technical aspect. Everything from servers to harden it and what not.
This is the silliest article of all time
Silly is a big thing.
Yes very silly indeed
A little goofy ahh
That’s the point. It’s an “advertisement” for a (most definitely) less secure service that looks like an article. The classic “(click)bait and switch” tactic. I wouldn’t be surprised if the person who wrote that article created or has involvement with BastionZero, like he’s on the board, or has invested in the company.
I can't thank you enough for your actual security info
I watch a lot of techie channels that tell me what I should use, but you’re one of the only ones that is very thorough with your videos, and are actually telling me what to use, what not to use, and why. So I have a question for you. What do you think about a fellow privacy/tech TH-camr Rob Braxman, and his products like the vpn service and router? It would be interesting to hear what you think about it, and if you think it would be trustworthy or something like the anon phone type thing.
i recognized that phrase! Bastion host, saw it in the O'Reilly book "Building Secure & Reliable Systems" 😃
Using just an SSH key to login and no password would actually be safe in most circumstances. The key is either encrypted with a passphrase or stored in your OS's keystore. A thief would have a hard time using the key even if they do steal your laptop.
And then you have time to remove the key from the server
Where is the key encrypted, isn't it always laying plain text in ~/.ssh/id_rsa ?
@@onebacon_ but the contents can be encrypted, so that you need a password to decrypt it
@@onebacon_ OP assumes you’re using full disk encryption probably
Watching the first 2 min took me 6 min, because I kept laughing over you. I f’ing love this content.
If you really want to harden ssh use a pam module to require 2FA!
Even supposed Senior It-professionals were surprised by my setup ;)
Yes - you can use both totp mfa, fail2ban, secure dns, and store the public key in dns
when you got to nr5 I was already laughing so hard 🤣
couldn't have said anything better. great video dude.
I love the TSA roast!
Well my SSH setup is set to not be reachable from the outside at all, so how do I remote in when I need to on the go?
I use my own VPN setup to achieve this, while you can knock on the server and find the OpenVPN server that runs, to gain access you need a signed certificate by the server for said client, a password and username.
As an added measure I keep my usernames, passwords and certificates per device, meaning if I lose my phone, laptop or whatever, I can quickly invalidate the certificate, making any login attempt null and void.
The SSH servers on the inside though, do allow password and root logins, as the internal traffic quite often requires that, so they aren't hardened at all.
@@TarsteelPCGaming Some of these boxes aren't supposed to give you root access due to their "appliance" nature.
But I did view it like... What threat can try to log in to the root account, as the only access to that side of the network is inside my 4 walls and it is in a home scenario.
So if you are in my house, I have bigger issues than my root account, the other option is you compromise my PFSense box, and that is an even bigger cause for concern.
But yes, my internal network has a few interesting "Holes" such as my switch has the password of "password", but to access that one you have to plug in physically and set the correct manual IP to gain access.
Thats a very smart idea actually, gonna do that on my SSH connections
I used to set up administrative ports on odd numbers. While it did reduce logs, it added chores for setting up, documenting guides and upgrading. Since I'm a one-man department it wasn't worth the effort. I went back to defaults after upgrade.
What are your thoughts on functional distros like NixOS?
I want someone's comment on it. Seems like a great idea, but even after running gentoo on my machine, nixos was too painful
System Crafters channel do good job, but its centered around Guix, emacs etc... but its familiar to Nix, you can at least learn something new
Been a blast using it
@@duckmeat4674 I used Gentoo and Exherbo, NixOS is an absolute breeze in comparison.
6. If you lose your ssh key administrator can revoke key. If you are the admin and lose ssh key just shutdown machine, open virtual console and use rd.break or other solution to break, setup password. Then you can do anything anything through emergency mode.
10:21 “Good luck I’m behind 7 proxies” meme
Thank you very much for making this.
Best thumbnail ever.
thanks for your service
At first, I felt that it was not a good idea to show his name and other stuff.
But since he was promoting this shtass service then he deserves it.
Great content as always.
I disagree with point 1. Yes, any script kiddie with Nmap will be able to find the SSH port, but at least my firewall will be able to detect the suspicious packet load and stop some of the requests... Besides, some script kiddies scan the entire internet for port 22 to find servers with SSH open... I personally have my SSH on a non-standard port and, well, it helps me sleep easier at night knowing attempting to SSH will just refuse the connection unless you KNOW the port, thus its just about as secure as placing a paperclip inside my front door to prevent lockpicking.
If you don't want port 22 to always be open you could setup port knocking to open it only when you need it.
you don't have to know the port though you can just see the banner response during a scan
@our hero What kind of stupid spam is this?
@@IgnoreMyChan it's on every video's comments
@@MentalOutlaw explain.
I think the target audience for the adverts is clearly 'your boss'
hey, why haven't we got this new thing I've just seen an advert for
It comes from "The Cloud", so it must be good, right? Right?
Me: *thinking he joke about hardening SSH*
You: *immediately uses the joke*
Yeah I'm subscribed to the right channel 😂
If you use SSH on an Enterprise level, you should really use SSH certificates
5:07 you'd be suprised at this. SWIM worked as a car repo person, and after they quit their login to search person's car off name, and name off license plate WORKED. Like, indefinitely. He stopped using it when he advanced from Windows XP.
I use wireguard to connect to my LAN and use SSH over it. Nobody brute forcing it and I get some security on mobıle networks and hotspots. Works wonders for SMB on Android 12 too
As i was thinking about what port number would be stupid to use and thought 42069 , he literally answered me 😂
To be fair management at entreprise level of ssh key can be a bit hard to do by hand but I think amazon as it's way to deal with that, because it allows you to identify to containers via their script, I don't know for EC2 but in any case an "easy" compatible with OpenSSH client is a custom ssh-agent, which does automaticaly manage ssh keys and permission, might not be perfect, because the key your are using can be leaked, but at least it enable you to interface with the OpenSSH client with just a bit of work (launching the program which might ask your credentials, and adding the corresponding environment variable), and has some mentionned couple this with SSH certificate with short duration and you are good to go, and would be way easier to make software compatible with them as it is standard (ex: git)
I use port knocking. I know that it's sec through obs and can be sniffed out, but I'm honestly comfy with that. The chances of being logged on my wifi and somehow getting my key and passphrase, at that point I deserve to be hacked.
>instead of dealing with these "problems", farm it out to a company who may have the exact same problems, but with no way of knowing about it.
Your hardened SSH is making my SSH really hard...
Abount number 4.
If user has ssh access and they are in sudoers. Then it is possible to create new "secret" user and have it's keys, even after being fired.
It depends on the config, even if sudo is allowed (for example, if sudo is allowed, but not to root)
I bet Mark there has a vested interest in that startup.
You got me laughing about getting that SSH hard, great video.
5:50 Do cosmic rays also affect HDDs, or just flash/solid state memory? Anyways, I thought HDDs used error correction codes, so it is going to be a lot easier for the entire hard drive to fail before any sufficient number of bit flips happen.
FYI you can password protect your bitcoin seed phrase with a bip-39 passphrase (25th word)
Disabling root doesn't do much either. If you have strong authentication via keys it can't be broken anyway and if the attacker can compromise the account used for administration there are multiple ways to escalate privileges.
Would you please do a video on VPN with ssh and ipv4 filtering on WiFi. I know each of those individually but totally flew over my head bundled together lol is the ssh end to end outside of the VPN or is the VPN tunnel encrypting the ssh encrypted packets too or separately via their respective ports?
Then is ipv4 filter wrapping around or inside of the VPN tunnel and the ssh connection or just one of them? Or both?
Does the WiFi network's security affect the encrypted VPN / ssh connection or would they still have to man-in-the-middle traffic to snoop packets?
Yup just listen to some random article on hardening SSH. Sounds about right.
that TSA burn XD
That's really unfortunate, since people actually trust those...
as someone who recently setup a github and cloned a repo via ssh in gitbash, I understood that reference 😎😎😎
Lol South Park made an episode about this a few years back. "News" is advertising now. Journalists are literally writing articles based around the idea of selling a product or service to solve some sort of artificially manufactured issue,
Truly incredible
5) if your keys get destroyed on the laptop, just remove the corrupt key from the ssh_keys file on your laptop, and try to connect again, the client will ask you to save the key again... using decent passwords should be more than safe enough, surely if you restrict access to only certain vlan's or ip ranges from the network (so that you have to use a vpn)
I even have one world-readable ssh server and in the 6 years it's been online and the many password-hack attempts the scriptkiddies use, it's never even had the correct username trying to log in, let alone they find the password to one of the accounts... decent usernames are also important, if you use 'administrator' or admin as username you're just asking to get hacked, then again if you use 'my-nickname-admin' that's a whole different story, especially if you don't use that 'admin' account anywhere else on the net (so they can't fish it out when they hack some big website's user database)
Great Content as always
just use telnet
Ideally with root pass set to "password123".
@@Degenerate76 Too long password. I will give you an helpful password tip, make your root password toor.
Telnet over Wireguard
That made me crack up
Mark is such a goober
Changing default ssh port on IP of my home network removed brute force attempts completely. Will not wok on some server hosting some service as those are more valuable to scan.
You should make or like a video about different ways of making ssh keys. I use putty gen that comes when install putty on windows but maybe I should use something else.
I may be misremembering, but aren't they just selling a jump box with a fancy GUI stapled to it??
I dunno, security thru obscurity such as port knocking and changing default port would still mitigate attack from most bots I would imagine. That's gotta count for something or not.
I just saw this on reddit yesterday
oh boy how much i love its sarcasm
If you sleep better with changing the port of ssh, you are sleeping better with a false sense of security, and you probably aren't securing your server properly.
Sure, but most people to change it to reduce log spam, which is fair.
I use a ssh hole on my default port 22 so bots get trapped
Changing port massively reduces the number of nonsense logs generated by bots. This makes actual attacks more visible and easier to detect. Other things to be done are disabling root ssh access and user, and disable password login. If you need extra security, disable external access and use VPN for additional security. With VPN, changing port is less needed.
We use The Bastion(OVH) in prod.
now you're hearing pokemon stadium minigame music
This guy really should read the book SSH Mastery by Michael W. Lucas
What about Hashicorp Vault?
"I never heard anyone using ssh private key without password". Me be like oh shit, lets set up key with password :D
Have you ever heard of teleport? Do you think it could be an interesting option of securing access to servers?
Password-protected SSH keys getting stolen is not a problem at all, i think. In order to brute-force the password, you need to connect to the actual owner's SSH server to tell you if password was correct (if decryption was correct). So it's not like you can just grind the password in the offline, like you can do with password hashes, for example. This is the kind of security I really wish was everywhere, not just SSH.
Why do you need to connect? (And it is not true, it can be proven without a server to connect to (at least when you have the pub key, but I think also without))
@@schwingedeshaehers You need to connect to the SSH server in order to know if the key was decrypted correctly. There is no way of knowing that decryption went successfully locally.
SSH key is just a bunch of bytes, there is no structures to look for when decrypting, only server can tell you if the key matches.
That means that you need to connect to the server every brute-force iteration to know if it was successful. If you server has fail2ban installed - 3 wrong keys and you are blocked for an hour
@@Deniil2000 than you can explain me, why may setup works? the first time i start e shell, i am asks for the passphrase of the key. if i enter a wrong one, it is rejected. how does that work without a server connection?
@@schwingedeshaehers Just tested it on my side and yes, it somehow knows if password was correct or not without asking the server. Looks like i'm wrong
5:56
N64 1/quintillion gamma ray moment
I actually didn't think of having VPN login first before having access to SSH. I do have knocking though.
Where I can follow this guy on this Odyssey thing?
This is why i think about run my own website... a lot of this "john good advice" is basically "here is a problem... bkah blah blah... and here is software i AD to you ... this is solution".
Its nightmare, and its even worse than adversing VPN
I keep my SSH rock hard.
i use tailscale for storing my ssh keys
You can just use SSH with SSSD and get user and role based access for free in combination with FeeIPA, MS AD or LDAP
"My SSH can only get so hard" - Dr. Krieger
It was an epic moment when mental outlaw said: everyone loves the cloud
I had a domain for my self hosted stuff called everyonelovesthecloud
Thank you based IT man.
#7: is everyone sharing just one account? well, that’s a problem. don’t do that.
Even... HARDER... *BEYOND* !!!
End of the day everything is different combination of 0 and 1 ..... That's it .... Amen ...
Welcome to the world of cloud computing where best practices advise you to use 10 servers to do what could be done by 1.
SSH DEEZ NUTZ.
That's clouded judgement alright.