>>51731656
Non-standard port reduces brute force traffic a lot.

At least make sure to use public key authentication and disable password authentication.

>>51731681
Asymmetric crypto > symmetric crypto, but that doesn't mean you should disable password authentication. Provided you use proper secure passwords, Fail2ban keeps a lot brute force attempts out. You can also extend your password authentication with 2FA by using a YubiKey (which uses OTPs). That way you either authenticate by using you public key, or your password+YubiKey.

>>51731656
Never ever change your ssh port number. The standard port requires root-level privs to listen to it, while high ports will make it possible for a malicious process to MITM your ssh connection. Use key auth, use fail2ban with default settings. You'll never get brute forced, it's literally impossible.

>general for something you do once per server
Really now?

I was not previously aware of this port-listening privilege issue.

What prevents a regular user from listening to port 22? Why can't that thing be reconfigured to treat another port the same way?

I know that changing the port doesn't affect security in any meaningful way, but it does de-clutter some logs pretty nicely. That's certainly not a good trade for reduced security, but it doesn't seem very unix-y to me to treat ports in unique, non-configurable ways. So what is the fundamental difference between 22 and any other port?

>>51733014
Only root can listen on all ports under 1024. This is a kernel feature, it's been around since UNIX, and cannot be changed. Wangblows has no similar feature: all users can bind any unused port. If you want more info, it's called "privileged ports".

Changing the port significantly lowers your security. If you don't like your logging, change your logging policy. Don't be dumb.

>>51733056
>UNIX
That's the trademark. You mean Unix.

>fail2ban
I don't know why you guys suggest fail2ban, it's a security vulnerability

>someone spams using your IP
>congrats you just got blocked

Same reason limiting password attempts is a stupid idea, makes it easy for someone to DoS you.

>>51733165
>spoofing a TCP handshake with your IP
sure m8

>>51733165
>he doesn't know how TCP/IP works
Fuck off.

>>51733225
>trusting every machine in between you and the server

>>51733239
Yes. Any machine can claim to have your IP and get you banned.

>>51731656
>non-privileged port. The upside of using a non-privileged port is that it's harder to find, the downside is that a non-root user could listen to the port, or spoof an sshd (IMO this is a bit of a non-issue, since both require a malicious user to be on your system in the first place). Which choice does /g/ use?
Just use literally any other port below 1024, like 666

>>51733225
>>51733267
You do realize that there's nothing stopping someone from deviating from the TCP/IP specification, right? That's why SSL/TLS certs are signed, to prevent MITMs.

>>51733274
It has nothing to do with trust. Ingress filtering is a thing now.
The attacker would have to be in complete control of the flow so either very close to the datacenter aka the provider for their uplink or very close to you aka your ISP. Both off them can easily block your complete access without any fail2ban shenanigans anyway, so this points is moot.

>inb4 state level attacker
They'd just go to your ISP and slap your ass.


>>51733294
>TCP/IP
Opinion invalidated

>>51732887
>Asymmetric crypto > symmetric crypto
What do you mean by this?

>>51733404
Asymmetric cryptography = public key cryptography (key pairs)
Symmetric cryptography = traditional shared secret model (like passwords)

https://en.wikipedia.org/wiki/Public-key_cryptography
https://en.wikipedia.org/wiki/Symmetric_key_algorithms

So if I have a jump box, how should I be restricting SSH to the boxes that it is used to jump to?

Via sshd config? Via authorized_keys? Via firewall?

>>51733165
More likely, you'll accidentally lock yourself out.
>>51734828
All of the above.

I use normal port. Password auth, and google two factor auth

>>51733165
>implying

>>51734998
Is that really necessary?

If the request is blocked in iptables, then do I really need to block the connection in sshd AllowUsers? And if it's blocked using AllowUsers then they won't be able to use the authorized key regardless if it's blocked or not?

>>51735212
OATH's TOTP? Or something else?

I'm especially looking to armor the wire between two static hosts (jump box and a host).

>>51732924
Yeah this and SSHv2. Disable v1 support completely.

I have all of my PCs and servers running SSH on the default port. Disable root login, force ssh version 2, and use rsa keys for logins regularly. Also, use an iptables rule to allow only 3 new connections to port 22 in a 5 minute period. Significantly reduces brute force.

>>51732924
If they have access to listen to traffic they must be root level if configured correctly so this is nonsense.

>>51732924
Key auth will automatically give you an error if you want to sign in don't see any value of fail2ban behind that.
OP if you want to block shit get a hardware firewall works alot better + you can block/allow countries/ips for the entire network.

>>51738471
>hardware firewall
There's no such thing, every firewall is software. You mean a dedicated firewall.
>works alot better + you can block/allow countries/ips for the entire network.
Every decent firewall can do this.

>>51731656
There is no debate. Use a deferent port. Any port but 22.

>>51739843
Security through obscurity. You're only stopping idiots and some random botnet attacks.

>>51739954
Which is 100% of the attempts in my logs

>>51739998
If you're really that concerned about people breaking in, you're might want to recheck what security measures you *did* setup.

>>51740068
*you
My mistake.

>>51739585
Hardware firewall is a common term in networking area, you think companies have firewall on every computer that would be a fuckton of configuration.
Basically is hardware with dedicated software for firewalling .

>>51740068
I've already taken the appropriate measures to secure my machine. I'm not sure why you're lecturing me when you're the one not concerned with security.

>>51740235
>you think companies have firewall on every computer
They do, and they should. But they're never a replacement for dedicated firewalls inside the corporate network.
>that would be a fuckton of configuration.
Doesn't have to be, you can easily automate this. But like I said, they're never a replacement for dedicated firewalls inside the corporate network.
>Basically is hardware with dedicated software for firewalling .
I like this description better than the term 'hardware firewall'. It may be a common term, but that doesn't make it a correct term. There's simply no such thing.

>>51740511
>>>51740068 (You)
>I've already taken the appropriate measures to secure my machine.
And I'm sure you did, so there's hardly any need to host your sshd on another port.
>I'm not sure why you're lecturing me when you're the one not concerned with security.
I'm not, family. You do what seems best to you. I was just arguing our different point of views.

>>51731656
Changing the port from 22 to something different means most of the chinese robots don't have a chance to use their senseless bruteforcing with names like andy,admin,anabelle, whatever shit.
nyways for a real attacker finding the other port will took like 1 minute at most.

Changing the port isn't a solution, but a good first step.

>>51733165
>fail2ban, it's a security vulnerability
please explain. I am interested!

>>51731656
disable password authentication (use public key) and then you wont have to be a stupid nigger with fail2ban and non standard ports

>>51742439
I don't understand why you guys wanna disable password authentication? when your private key is stolen every one can authenticate with your private key to the ssh server. But when you use the asynchron authentication with password authentication you have a two factor authentication and this is more secure then only one authentication way? Correct me, when Iam wrong.

>>51743583
You're right, but they're too proud to acknowledge it.