[arm-allstar] NOTICE for user's with public ssh on port 222

Tue Mar 7 07:19:21 EST 2023

For those who maybe are not in the know, where is this documented, or 
where can one go for a how-to?

On 3/6/2023 11:07 PM, Bryan St Clair via ARM-allstar wrote:
> Simply not using a U/P and converting to a KEY system, with an alternate
> port is secure.  A VPN isn't a requirement to secure SSH.
>
> Adding rules in an IPTABLES config can lock out attempts that break a
> defined frequency is added insurance.
>
> The KEY system alone should be a minimum for every device, regardless of
> public exposure.  All of this is already installed on HamVoip image, you
> simply have to configure it.
>
> K6CBR
>
> On Mon, Mar 6, 2023 at 7:37 PM Lu Vencl via ARM-allstar <
> arm-allstar at hamvoip.org> wrote:
>
>> Never ever use the default port. I use something out of this world. In
>> addition, nowadays, I use a VPN into my network if I need to access
>> anything. Stop forwarding SSH ports and use a VPN. Life will be better.
>> Lu
>> KA4EPS
>>
>>> On Mar 6, 2023, at 5:47 PM, kd6gdb--- via ARM-allstar <
>> arm-allstar at hamvoip.org> wrote:
>>> Thanks to all,
>>>
>>> I like the fail2ban solution and use it alot for my other servers but am
>>> concerned with the overhead. Obviously the double edge sword here is what
>>> uses more resources, the constant pounding on my poor little RPi3 node
>> from
>>> bots around the world that think I am the back door to the "NORAD
>>> supercomputer known as WOPR (War Operation Plan Response, pronounced
>>> "whopper"), programmed to continuously run war simulations and learn over
>>> time" - see the movie WARGAMES (1983) for background or moving dull ham
>>> radio audio from the world most obnoxious repeater in Los Angeles.
>>>
>>>> On Mon, Mar 6, 2023 at 1:47 PM stanley stanukinos via ARM-allstar <
>>>> arm-allstar at hamvoip.org> wrote:
>>>>
>>>> Use fail to ban and input the blocks from those ranges. Drop all packets
>>>> do not respond to icmp. They start their probing there.
>>>>
>>>> Stan
>>>>
>>>> Sent from my iPhone
>>>>
>>>>> On Mar 6, 2023, at 2:39 PM, Joe Moskalski via ARM-allstar <
>>>> arm-allstar at hamvoip.org> wrote:
>>>>> I have addressed this issue with 2 solutions. One is ban all the IP
>>>> ranges
>>>>> from India, China and Russia in my firewall. It's not very surgical but
>>>>> it's effective. The other is setup a L2TP VPN and not make the SSH port
>>>>> open to the public only being able to access it through the VPN.
>>>>>
>>>>>> On Mon, Mar 6, 2023, 2:13 PM kd6gdb--- via ARM-allstar <
>>>>>> arm-allstar at hamvoip.org> wrote:
>>>>>>
>>>>>> Where did this get to? One of my private nodes has seemed to have
>>>> become a
>>>>>> favorite in India with over 500 attempts per hour.
>>>>>>
>>>>>> [root at Node1502 local]# strings /var/log/btmp | grep -v '[a-zA-Z]'
>>>> |sort -u
>>>>>> 103.246.240.30
>>>>>> 104.168.64.249
>>>>>> 113.20.31.42
>>>>>> 119.93.23.178
>>>>>> 128.199.246.42
>>>>>> 134.17.89.159
>>>>>> 137.184.37.163
>>>>>> 164.163.104.184
>>>>>> 164.90.229.196
>>>>>> 167.233.7.218
>>>>>> 170.64.178.90
>>>>>> 177.72.99.10
>>>>>> 190.144.141.210
>>>>>> 192.241.157.114
>>>>>> 31.41.244.124
>>>>>> 36.255.221.147
>>>>>> 43.129.201.229
>>>>>> 47.243.106.91
>>>>>>
>>>>>> [root at Node1502 local]# uptime
>>>>>> 10:04:55 up * 1:06, * 1 user,  load average: 0.11, 0.18, 0.17
>>>>>>
>>>>>> [root at Node1502 local]# strings /var/log/btmp | grep -v '[a-zA-Z]' |wc
>>>>>>    *505*     505    7296
>>>>>>
>>>>>> On Sun, Apr 5, 2020 at 7:38 PM "Al Beard via ARM-allstar" <
>>>>>> arm-allstar at hamvoip.org> wrote:
>>>>>>
>>>>>>> Hi,
>>>>>>>
>>>>>>> This will get you the SSHD info to check:
>>>>>>>
>>>>>>> journalctl _COMM=sshd -n 1000 > sshd.log
>>>>>>>
>>>>>>> Fedora linux uses "systemd" but still creates most of the "standard"
>>>>>>> unix log files such that sys-admin's scripts will still mostly work.
>>>>>>>
>>>>>>> I've been using Fedora on ARM systems because they put quite an
>> effort
>>>>>>> into supporting many many boards AND I could move the root (/)
>>>> filesystem
>>>>>>> onto a real hard disk either USB or SATA (as in the Banana Pi) and
>> have
>>>>>> no
>>>>>>> and I mean NO SD card wear out problems.
>>>>>>> And, the kernel update process worked seamlessly. dnf -y upgrade
>>>>>>>
>>>>>>> My first Raspberry Pi version 1 with 256Mb ram would burn out an SD
>>>> card
>>>>>>> in a day. Thus, with SATA disks everywhere I looked for a SoC with a
>>>> SATA
>>>>>>> interface and found the Allwinner A20 chip on the Banana Pi board
>> did.
>>>>>>> Alan VK2ZIW
>>>>>>>
>>>>>>> On Sun, 5 Apr 2020 17:31:47 -0700, \"Tony via ARM-allstar\" wrote
>>>>>>>> On 4/5/20 4:44 PM, "David McGough via ARM-allstar" wrote:
>>>>>>>>> ... I'll upload a copy of the code I'm using, if you'd like to
>>>>>>> experiment
>>>>>>>>> with it?  This code will get wrapped into a package included in
>>>>>>> HamVoIP,
>>>>>>>>> ultimately.
>>>>>>>> Is it essentially a Hamvoip-specific configuration for the fail2ban
>>>>>>> package?
>