On Wed, Feb 15, 2023 at 05:43:12PM +0100, Jan Just Keijser wrote:
> Having port 22 open on the internet is asking for bots & script kiddies to
> try and break in, but usually fail2ban takes care of it quite nicely.
Yes, and I you can report to abuseipdb.com -- that's why my main server has
port 22 open (and there are a few measures that make succeeding
authentification unlikely -- the remaining risk is a zero-day on SSH itself).
> and list it on a public webpage, so having a public wiki/web page stating
> "we run ssh on tcp port 2222 to confuse script kiddies" is not a very good
> way to hide your ssh service.
Also, I have one container which has a random port for SSH. It was discovered
by scanners in about one to two weeks. (*)
On a sensitive machine, I use port knocking. Or I hide services behind a
private OpenVPN network, depending. Which is also useful when the ISP no longer
offers port forwarding (CGNAT) for CPE.
(*) I read some litterature that scanning the whole ipv4 space for every
TCP port takes about a day with a GBit/s or so optimized SYN sender.
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
