Skip to content

Commit

Permalink
Fix title for tag list pages
Browse files Browse the repository at this point in the history
  • Loading branch information
LunarWatcher committed Dec 29, 2023
1 parent b9efe98 commit e5dde44
Show file tree
Hide file tree
Showing 3 changed files with 24 additions and 8 deletions.
9 changes: 8 additions & 1 deletion assets/scss/style.scss
Original file line number Diff line number Diff line change
Expand Up @@ -333,6 +333,13 @@ main, .toc-container {

}

figure {
figcaption {
padding: 2%;
box-sizing: border-box;
}
}

// Spoilers {{{

.spoiler {
Expand Down Expand Up @@ -510,7 +517,7 @@ tbody tr th {
// }}}
// Post listing {{{
.meta-container {
box-sizing: content-box;
box-sizing: border-box;
}
// }}}
// Page list; I assume I can extend this to support other styles anyway {{{
Expand Down
19 changes: 12 additions & 7 deletions content/posts/2022-12-23-ssh-hardening-an-observation.md
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
---
title: "SSH hardening: an observation on the efficiency of changing ports"
date: 2022-12-23T16:21:01+01:00
lastmod: 2023-12-29T22:00:04+01:00
tags: ["ssh"]
ingress: Bots mostly scanning common ports can be used to your advantage to hide services.
---
Expand All @@ -9,7 +10,7 @@ I often open an SSH port to the internet, largely when I need to access my devic

DDoSes attempting to brute-force passwords are tough out of luck thanks to password auth being disabled, but that doesn't prevent various botnets from trying. Especially over IPv4, it's not news that these bots scour the internet to look for open ports.

In my experience, within a matter of minutes to days, bots start hammering at my recently opened ports. There isn't much they can do, but open ports are always a risk. The more opportunities these bots get to attack, teh higher the chance an unexpected vulnerability is discovered and exploited. Reducing attack vectors is therefore a good idea.
In my experience, within a matter of minutes to days, bots start hammering at my recently opened ports. There isn't much they can do, but open ports are always a risk. The more opportunities these bots get to attack, the higher the chance an unexpected vulnerability exploited. Reducing attack vectors is always a good idea.

Many articles emphasise the importancy of reducing availability of features. [DigitalOcean's article on the subject](https://www.digitalocean.com/community/tutorials/how-to-harden-openssh-on-ubuntu-18-04) mentions many of the same standard choices; disable password authentication, disable redundant features, restrict access where possible. Among other things, they also recommend whitelisting IPs.

Expand All @@ -21,18 +22,22 @@ What do you do then?

Most articles recommend tools like [fail2ban](https://github.com/fail2ban/fail2ban) (which is buggy as hell and misses a whole lot of attacks), or [CrowdSec](https://www.crowdsec.net/) (which I found to be inefficient as well -- awful block rates. Cool in theory, not in practice). In fact, CrowdSec did the exact opposite, and exposed me to more attacks than fail2ban, and fail2ban already had an uncomfortably high miss rate.

Since none of the standard tools work, I started [working on my own](https://github.com/LunarWatcher/doesnotfail2ban), but my attention has been elsewhere, so it's not complete. I still needed to open a port, and I don't have time to get my own tools ready. The only option left is changing the ports.
Since none of the standard tools work, I started [working on my own](https://github.com/LunarWatcher/doesnotfail2ban). At the time I wrote this article, it was still not done, and my attention shifted elsewhere. It has since been made operational and deployed to my exposed server.

Now, because I don't want to specify the port manually, I did leave it on port 22 internally, but I set up my router to forward it from an unspecified port with a numeric value greater than 1000. (Read: external:1234 -> internal:22).
Now, because I don't want to specify the port manually when I'm at home, I did leave it on port 22 internally, but I set up my router to forward it from an unspecified port with a numeric value greater than 1000. (Read: external:1234 -> internal:22).

In the past week or so, I've had a grand totalt of three attacks from three IPs, all of which gave up. These used two different attacks:

* 2x attempted password brute-force
* 1x HTTP injection trying to attack what appears to be a smart TV

In a comparable amount of time after opening :22, this is an insanely low amount of attacks. Here's an equivalent graph from last year:
In a comparable amount of time after opening :22, this is an insanely low amount of attacks. Here's an equivalent graph from last year based on fail2ban (where some attacks still slipped through due to the aforementioned flakt behaviour):

<img src="/img/ssh bans.png" alt="Image showing the ban graph; there's over 8000 bans at the peak" />
<!--<img src="/img/ssh bans.png" alt="Image showing the ban graph; there's over 8000 bans at the peak" />-->
{{< figure
src="/img/ssh bans.png"
alt="Image showing a ban graph generated from f2b, with a peak of over 8000 bans"
caption="An exposed port in the low ranges gets a lot of attention from generic botnets looking for new members. Note that the dip in the graph is due to an unexpected fail2ban failure." >}}

Each interval is 1 million seconds, or around 12 days. This graph has some curiosities that are entirely my fault;

Expand All @@ -51,6 +56,6 @@ Many of the bots I've observed having a field trip with inefficient password bru

At least for now, switching to a high (and non-standard!) port reduces the probability your port in particular is scanned and attacked. I cannot emphasise this enough: obscuring the open port by hiding it on a non-standard and normally unscanned port, as demonstrated here, does reduce the number of attacks, but [isn't a security measure on its own](https://www.baeldung.com/cs/security-by-obscurity). If a sufficiently large botnet with scanners scanning all ports on all IPs finds you and coordinates an attack, you're right back to needing a fail2ban-like solution.

All changing the port does is reduce exposure to buy time, and from what I've observed, it's quite efficient at that. Thanks to a lot of the mainline internet-scouring bots being dumb and focusing on wide coverage rather than full coverage of fewer targets, it does reduce the number of attacks from these dumb bots. It does not stop attacks from anyone sufficiently dedicated to go after you in particular, or botnets doing wider scans than the average botnet.
All changing the port does is reduce exposure to buy time, and from what I've observed, it's quite efficient at that. I've yet to experience an attack aimed at my servers _because_ they're my servers. Thanks to a lot of the mainline internet-scouring bots being dumb and focusing on wide coverage rather than full coverage of fewer targets, it does reduce the number of attacks from these dumb bots. It does not stop attacks from anyone sufficiently dedicated to go after you in particular, or botnets doing wider scans than the average botnet.

**TL;DR:** changing ports has a clear effect at reducing the number of attacks, by hiding from the standard, dumb gruntwork bots of the internet, but security by obscurity is never enough on its own. More layers of security overall help to add more security to a device, and while port swapping is a solid contribution to that, it isn't a protection measure when attacks do happen. Port swaps aren't a replacement for tools like f2b/CrowdSec/etc., but it does reduce the amount of work they have to do by a sizeable margin.
**TL;DR:** changing ports has a clear effect at reducing the number of attacks, by hiding from the standard, dumb gruntwork botnets of the internet, but security by obscurity is never enough on its own. More layers of security overall help to add more security to a device, and while port swapping is a solid contribution to that, it isn't a protection measure when attacks do happen. Port swaps aren't a replacement for tools like f2b/CrowdSec/etc., but it does reduce the amount of work they have to do by a sizeable margin.
4 changes: 4 additions & 0 deletions layouts/partials/head.html
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,11 @@
<link rel="canonical" href="{{ .Permalink }}">

<!-- Visible metadata -->
{{ if and (eq .Data.Singular "tag") (not (eq .Title "Tags")) }}
<title>Posts tagged {{ .Title }} | {{ .Site.Title }}</title>
{{ else }}
<title>{{ .Title }} | {{ .Site.Title }}</title>
{{ end }}
<!-- Scripts and stylesheets -->
<script src="https://code.jquery.com/jquery-3.6.0.min.js"></script>
{{ if .Params.mermaid }}
Expand Down

0 comments on commit e5dde44

Please sign in to comment.