[arm-allstar] NOTICE for user's with public ssh on port 222
Bryan St Clair
bryan at k6cbr.us
Mon Mar 6 23:07:16 EST 2023
Simply not using a U/P and converting to a KEY system, with an alternate
port is secure. A VPN isn't a requirement to secure SSH.
Adding rules in an IPTABLES config can lock out attempts that break a
defined frequency is added insurance.
The KEY system alone should be a minimum for every device, regardless of
public exposure. All of this is already installed on HamVoip image, you
simply have to configure it.
K6CBR
On Mon, Mar 6, 2023 at 7:37 PM Lu Vencl via ARM-allstar <
arm-allstar at hamvoip.org> wrote:
> Never ever use the default port. I use something out of this world. In
> addition, nowadays, I use a VPN into my network if I need to access
> anything. Stop forwarding SSH ports and use a VPN. Life will be better.
> Lu
> KA4EPS
>
> > On Mar 6, 2023, at 5:47 PM, kd6gdb--- via ARM-allstar <
> arm-allstar at hamvoip.org> wrote:
> >
> > Thanks to all,
> >
> > I like the fail2ban solution and use it alot for my other servers but am
> > concerned with the overhead. Obviously the double edge sword here is what
> > uses more resources, the constant pounding on my poor little RPi3 node
> from
> > bots around the world that think I am the back door to the "NORAD
> > supercomputer known as WOPR (War Operation Plan Response, pronounced
> > "whopper"), programmed to continuously run war simulations and learn over
> > time" - see the movie WARGAMES (1983) for background or moving dull ham
> > radio audio from the world most obnoxious repeater in Los Angeles.
> >
> >> On Mon, Mar 6, 2023 at 1:47 PM stanley stanukinos via ARM-allstar <
> >> arm-allstar at hamvoip.org> wrote:
> >>
> >> Use fail to ban and input the blocks from those ranges. Drop all packets
> >> do not respond to icmp. They start their probing there.
> >>
> >> Stan
> >>
> >> Sent from my iPhone
> >>
> >>> On Mar 6, 2023, at 2:39 PM, Joe Moskalski via ARM-allstar <
> >> arm-allstar at hamvoip.org> wrote:
> >>>
> >>> I have addressed this issue with 2 solutions. One is ban all the IP
> >> ranges
> >>> from India, China and Russia in my firewall. It's not very surgical but
> >>> it's effective. The other is setup a L2TP VPN and not make the SSH port
> >>> open to the public only being able to access it through the VPN.
> >>>
> >>>> On Mon, Mar 6, 2023, 2:13 PM kd6gdb--- via ARM-allstar <
> >>>> arm-allstar at hamvoip.org> wrote:
> >>>>
> >>>> Where did this get to? One of my private nodes has seemed to have
> >> become a
> >>>> favorite in India with over 500 attempts per hour.
> >>>>
> >>>> [root at Node1502 local]# strings /var/log/btmp | grep -v '[a-zA-Z]'
> >> |sort -u
> >>>> 103.246.240.30
> >>>> 104.168.64.249
> >>>> 113.20.31.42
> >>>> 119.93.23.178
> >>>> 128.199.246.42
> >>>> 134.17.89.159
> >>>> 137.184.37.163
> >>>> 164.163.104.184
> >>>> 164.90.229.196
> >>>> 167.233.7.218
> >>>> 170.64.178.90
> >>>> 177.72.99.10
> >>>> 190.144.141.210
> >>>> 192.241.157.114
> >>>> 31.41.244.124
> >>>> 36.255.221.147
> >>>> 43.129.201.229
> >>>> 47.243.106.91
> >>>>
> >>>> [root at Node1502 local]# uptime
> >>>> 10:04:55 up * 1:06, * 1 user, load average: 0.11, 0.18, 0.17
> >>>>
> >>>> [root at Node1502 local]# strings /var/log/btmp | grep -v '[a-zA-Z]' |wc
> >>>> *505* 505 7296
> >>>>
> >>>> On Sun, Apr 5, 2020 at 7:38 PM "Al Beard via ARM-allstar" <
> >>>> arm-allstar at hamvoip.org> wrote:
> >>>>
> >>>>> Hi,
> >>>>>
> >>>>> This will get you the SSHD info to check:
> >>>>>
> >>>>> journalctl _COMM=sshd -n 1000 > sshd.log
> >>>>>
> >>>>> Fedora linux uses "systemd" but still creates most of the "standard"
> >>>>> unix log files such that sys-admin's scripts will still mostly work.
> >>>>>
> >>>>> I've been using Fedora on ARM systems because they put quite an
> effort
> >>>>> into supporting many many boards AND I could move the root (/)
> >> filesystem
> >>>>> onto a real hard disk either USB or SATA (as in the Banana Pi) and
> have
> >>>> no
> >>>>> and I mean NO SD card wear out problems.
> >>>>> And, the kernel update process worked seamlessly. dnf -y upgrade
> >>>>>
> >>>>> My first Raspberry Pi version 1 with 256Mb ram would burn out an SD
> >> card
> >>>>> in a day. Thus, with SATA disks everywhere I looked for a SoC with a
> >> SATA
> >>>>> interface and found the Allwinner A20 chip on the Banana Pi board
> did.
> >>>>>
> >>>>> Alan VK2ZIW
> >>>>>
> >>>>> On Sun, 5 Apr 2020 17:31:47 -0700, \"Tony via ARM-allstar\" wrote
> >>>>>> On 4/5/20 4:44 PM, "David McGough via ARM-allstar" wrote:
> >>>>>>> ... I'll upload a copy of the code I'm using, if you'd like to
> >>>>> experiment
> >>>>>>> with it? This code will get wrapped into a package included in
> >>>>> HamVoIP,
> >>>>>>> ultimately.
> >>>>>>
> >>>>>> Is it essentially a Hamvoip-specific configuration for the fail2ban
> >>>>> package?
> >>>>>> _______________________________________________
> >>>>>>
> >>>>>> ARM-allstar mailing list
> >>>>>> ARM-allstar at hamvoip.org
> >>>>>> http://lists.hamvoip.org/cgi-bin/mailman/listinfo/arm-allstar
> >>>>>>
> >>>>>> Visit the BBB and RPi2/3/4 web page - http://hamvoip.org
> >>>>>
> >>>>>
> >>>>> ---------------------------------------------------
> >>>>> Alan Beard
> >>>>>
> >>>>> OpenWebMail 2.53
> >>>>>
> >>>>> _______________________________________________
> >>>>>
> >>>>> ARM-allstar mailing list
> >>>>> ARM-allstar at hamvoip.org
> >>>>> http://lists.hamvoip.org/cgi-bin/mailman/listinfo/arm-allstar
> >>>>>
> >>>>> Visit the BBB and RPi2/3/4 web page - http://hamvoip.org
> >>>>>
> >>>>
> >>>>
> >>>> --
> >>>> Pursuant to U.S. Code, title 47, Chapter 5, Sub chapter II, ß227,
> >>>> "Any and all non solicited commercial E-mail sent to this address is
> >>>> subject to a download and archival fee of $500.00 U.S.". E-mailing
> >> denotes
> >>>> acceptance of these terms.
> >>>> _______________________________________________
> >>>>
> >>>> ARM-allstar mailing list
> >>>> ARM-allstar at hamvoip.org
> >>>> http://lists.hamvoip.org/cgi-bin/mailman/listinfo/arm-allstar
> >>>>
> >>>> Visit the BBB and RPi2/3/4 web page - http://hamvoip.org
> >>>>
> >>> _______________________________________________
> >>>
> >>> ARM-allstar mailing list
> >>> ARM-allstar at hamvoip.org
> >>> http://lists.hamvoip.org/cgi-bin/mailman/listinfo/arm-allstar
> >>>
> >>> Visit the BBB and RPi2/3/4 web page - http://hamvoip.org
> >>
> >> _______________________________________________
> >>
> >> ARM-allstar mailing list
> >> ARM-allstar at hamvoip.org
> >> http://lists.hamvoip.org/cgi-bin/mailman/listinfo/arm-allstar
> >>
> >> Visit the BBB and RPi2/3/4 web page - http://hamvoip.org
> >>
> >
> >
> > --
> > Pursuant to U.S. Code, title 47, Chapter 5, Sub chapter II, ß227,
> > "Any and all non solicited commercial E-mail sent to this address is
> > subject to a download and archival fee of $500.00 U.S.". E-mailing
> denotes
> > acceptance of these terms.
> > _______________________________________________
> >
> > ARM-allstar mailing list
> > ARM-allstar at hamvoip.org
> > http://lists.hamvoip.org/cgi-bin/mailman/listinfo/arm-allstar
> >
> > Visit the BBB and RPi2/3/4 web page - http://hamvoip.org
> _______________________________________________
>
> ARM-allstar mailing list
> ARM-allstar at hamvoip.org
> http://lists.hamvoip.org/cgi-bin/mailman/listinfo/arm-allstar
>
> Visit the BBB and RPi2/3/4 web page - http://hamvoip.org
>
--
Bryan
K6CBR
bryan at k6cbr.us
43918,439910
More information about the ARM-allstar
mailing list