[arm-allstar] NOTICE for user's with public ssh on port 222

David McAnally david.mcanally at gmail.com
Tue Mar 7 08:47:07 EST 2023 

https://www.google.com/search?client=firefox-b-1-d&q=how+to+configure+ssh+public+key+authentication

And if you use PUTTY/WinSCP for access:
https://www.google.com/search?client=firefox-b-1-d&q=how+to+configure+putty+for+public+key+authentication

David WD5M

On Tue, Mar 7, 2023 at 6:54 AM Steve Matzura via ARM-allstar <
arm-allstar at hamvoip.org> wrote:

> For those who maybe are not in the know, where is this documented, or
> where can one go for a how-to?
>
>
> On 3/6/2023 11:07 PM, Bryan St Clair via ARM-allstar wrote:
> > Simply not using a U/P and converting to a KEY system, with an alternate
> > port is secure.  A VPN isn't a requirement to secure SSH.
> >
> > Adding rules in an IPTABLES config can lock out attempts that break a
> > defined frequency is added insurance.
> >
> > The KEY system alone should be a minimum for every device, regardless of
> > public exposure.  All of this is already installed on HamVoip image, you
> > simply have to configure it.
> >
> > K6CBR
> >
> > On Mon, Mar 6, 2023 at 7:37 PM Lu Vencl via ARM-allstar <
> > arm-allstar at hamvoip.org> wrote:
> >
> >> Never ever use the default port. I use something out of this world. In
> >> addition, nowadays, I use a VPN into my network if I need to access
> >> anything. Stop forwarding SSH ports and use a VPN. Life will be better.
> >> Lu
> >> KA4EPS
> >>
> >>> On Mar 6, 2023, at 5:47 PM, kd6gdb--- via ARM-allstar <
> >> arm-allstar at hamvoip.org> wrote:
> >>> Thanks to all,
> >>>
> >>> I like the fail2ban solution and use it alot for my other servers but
> am
> >>> concerned with the overhead. Obviously the double edge sword here is
> what
> >>> uses more resources, the constant pounding on my poor little RPi3 node
> >> from
> >>> bots around the world that think I am the back door to the "NORAD
> >>> supercomputer known as WOPR (War Operation Plan Response, pronounced
> >>> "whopper"), programmed to continuously run war simulations and learn
> over
> >>> time" - see the movie WARGAMES (1983) for background or moving dull ham
> >>> radio audio from the world most obnoxious repeater in Los Angeles.
> >>>
> >>>> On Mon, Mar 6, 2023 at 1:47 PM stanley stanukinos via ARM-allstar <
> >>>> arm-allstar at hamvoip.org> wrote:
> >>>>
> >>>> Use fail to ban and input the blocks from those ranges. Drop all
> packets
> >>>> do not respond to icmp. They start their probing there.
> >>>>
> >>>> Stan
> >>>>
> >>>> Sent from my iPhone
> >>>>
> >>>>> On Mar 6, 2023, at 2:39 PM, Joe Moskalski via ARM-allstar <
> >>>> arm-allstar at hamvoip.org> wrote:
> >>>>> I have addressed this issue with 2 solutions. One is ban all the IP
> >>>> ranges
> >>>>> from India, China and Russia in my firewall. It's not very surgical
> but
> >>>>> it's effective. The other is setup a L2TP VPN and not make the SSH
> port
> >>>>> open to the public only being able to access it through the VPN.
> >>>>>
> >>>>>> On Mon, Mar 6, 2023, 2:13 PM kd6gdb--- via ARM-allstar <
> >>>>>> arm-allstar at hamvoip.org> wrote:
> >>>>>>
> >>>>>> Where did this get to? One of my private nodes has seemed to have
> >>>> become a
> >>>>>> favorite in India with over 500 attempts per hour.
> >>>>>>
> >>>>>> [root at Node1502 local]# strings /var/log/btmp | grep -v '[a-zA-Z]'
> >>>> |sort -u
> >>>>>> 103.246.240.30
> >>>>>> 104.168.64.249
> >>>>>> 113.20.31.42
> >>>>>> 119.93.23.178
> >>>>>> 128.199.246.42
> >>>>>> 134.17.89.159
> >>>>>> 137.184.37.163
> >>>>>> 164.163.104.184
> >>>>>> 164.90.229.196
> >>>>>> 167.233.7.218
> >>>>>> 170.64.178.90
> >>>>>> 177.72.99.10
> >>>>>> 190.144.141.210
> >>>>>> 192.241.157.114
> >>>>>> 31.41.244.124
> >>>>>> 36.255.221.147
> >>>>>> 43.129.201.229
> >>>>>> 47.243.106.91
> >>>>>>
> >>>>>> [root at Node1502 local]# uptime
> >>>>>> 10:04:55 up * 1:06, * 1 user,  load average: 0.11, 0.18, 0.17
> >>>>>>
> >>>>>> [root at Node1502 local]# strings /var/log/btmp | grep -v '[a-zA-Z]'
> |wc
> >>>>>>    *505*     505    7296
> >>>>>>
> >>>>>> On Sun, Apr 5, 2020 at 7:38 PM "Al Beard via ARM-allstar" <
> >>>>>> arm-allstar at hamvoip.org> wrote:
> >>>>>>
> >>>>>>> Hi,
> >>>>>>>
> >>>>>>> This will get you the SSHD info to check:
> >>>>>>>
> >>>>>>> journalctl _COMM=sshd -n 1000 > sshd.log
> >>>>>>>
> >>>>>>> Fedora linux uses "systemd" but still creates most of the
> "standard"
> >>>>>>> unix log files such that sys-admin's scripts will still mostly
> work.
> >>>>>>>
> >>>>>>> I've been using Fedora on ARM systems because they put quite an
> >> effort
> >>>>>>> into supporting many many boards AND I could move the root (/)
> >>>> filesystem
> >>>>>>> onto a real hard disk either USB or SATA (as in the Banana Pi) and
> >> have
> >>>>>> no
> >>>>>>> and I mean NO SD card wear out problems.
> >>>>>>> And, the kernel update process worked seamlessly. dnf -y upgrade
> >>>>>>>
> >>>>>>> My first Raspberry Pi version 1 with 256Mb ram would burn out an SD
> >>>> card
> >>>>>>> in a day. Thus, with SATA disks everywhere I looked for a SoC with
> a
> >>>> SATA
> >>>>>>> interface and found the Allwinner A20 chip on the Banana Pi board
> >> did.
> >>>>>>> Alan VK2ZIW
> >>>>>>>
> >>>>>>> On Sun, 5 Apr 2020 17:31:47 -0700, \"Tony via ARM-allstar\" wrote
> >>>>>>>> On 4/5/20 4:44 PM, "David McGough via ARM-allstar" wrote:
> >>>>>>>>> ... I'll upload a copy of the code I'm using, if you'd like to
> >>>>>>> experiment
> >>>>>>>>> with it?  This code will get wrapped into a package included in
> >>>>>>> HamVoIP,
> >>>>>>>>> ultimately.
> >>>>>>>> Is it essentially a Hamvoip-specific configuration for the
> fail2ban
> >>>>>>> package?
> >
> _______________________________________________
>
> ARM-allstar mailing list
> ARM-allstar at hamvoip.org
> http://lists.hamvoip.org/cgi-bin/mailman/listinfo/arm-allstar
>
> Visit the BBB and RPi2/3/4 web page - http://hamvoip.org
>

More information about the ARM-allstar mailing list