Happy "quickly updating all of the servers" day to those who celebrate.
43 comments
I am not a security researcher, and I don't want to sound authoritative on stuff I'm *not* an authority on. If you run Debian like I do, this page might be useful. https://security-tracker.debian.org/tracker/CVE-2024-6387 This is a friendly reminder to put a firewall in between your server and the wider internet, and no, I'm not talking about fail2ban. Which is good for lots of things, but I wouldn't rely on it alone. Don't open SSH ports up to the entire world. Put a firewall in between your server and those who would do you harm. Lots of providers have network-based access controls, cloud firewalls, etc: use them. Friends don't let friends run sshd out in the open. :P @RL_Dane @vkc @crossed seems like a potentially bad idea, plus it appears it relies on the local firewall, not a network level one ? https://www.howtogeek.com/442733/how-to-use-port-knocking-on-linux-and-why-you-shouldnt/ Yeah, its not the same level of isolation, for sure. What do you do for remote access? Tail scale? VPN? I'm thinking in regards to home stuff. I'll have to find a way to combine #Yunohost with #Tailscale, because Yuno wants to have open ports on the internet, and I think that's loopy, even for home. @RL_Dane @jsbilsbrough Tailscale is fun, I haven't deployed it personally but have played around on it a bit. I'm also not a fan of port knocking and tend to VPN when away from home. I'm ancient so I've typically used OpenVPN but I rarely use it anymore anyway, since nowadays if I'm leaving home I don't need to bring my homelab with me. :) Doesn't the VPN itself need an open port, though? Is that safer than SSH? I was thinking of using Tailscale because (to my understanding) it doesn't need an open port. Man, I'm really wished I had switched to NetSec in 2003. My networking knowledge is really rough. ๐ @RL_Dane @jsbilsbrough "safer" is relative to the threat, of course. In my typical case, OpenVPN is handled itself by my firewall appliance. While it opens a port it also knows what bad traffic to scan for, without me telling it what to do. Again, I'm not a security researcher, but I tend to trust pfSense/OPNsense/etc more than myself when it comes to opening a port and watching for baddies. And nowadays I don't even do that, because I just don't need it badly enough anymore. @RL_Dane @jsbilsbrough I should also mention that I typically remote from a static IP provided by my wireless carrier. So, in my case, the firewall knew where I'd be coming from and I could block most of the internet from getting in. @tripplehelix it's usually an option for business accounts. I've had them numerous times in the past connected with hotspot appliances. Not currently using one since I don't have as much of a need anymore. @vkc @RL_Dane @jsbilsbrough I like the ability to see my local cameras when away, tailscale makes that simple. @vkc It's one of the first steps before I start adding users or packages to a newly provisioned server. And with Wireguard or similar (if suitable) one can have SSH limited to only the local subnet and/or tunnel networks. @prlzx I have a ufw script written for a future video and I'm kicking myself for not having worked on that video last week! @vkc I do wish there was an easy way to store named arrays of addresses, network prefixes and ports/ranges that UFW could use in rules (common to many firewall distributions like vyos and pfSense). @vkc But I have and keep SSH open to the internet because I NEED this to access a couple of services when not at home (I am a terminal guy). I have some extra security measures in place like ssh proxy, fail2ban (yes!) or public/private key instead of password login. I wonder if (Open)SSH is that bad and the port needs to be closed - compared e.g. to some complex web services sitting on port 443. @godeater For my personal mobile devices I use wireguard when I am in spooky networks. Maybe, I should test tailscale. @qlp awesome! Some VPS providers do really cool things with firewalls and virtual networking. Combining that with pre-defined SSH keys for initial setup and a lot of SSH security steps becomes simply a few clicks! @vkc I've been pretty happy with DigitalOcean and Hetzner Cloud defaults for Debian and Ubuntu images. I haven't checked out Akamai/Linode, but should give them a try sometime. I also really like that Hetzner Cloud has ARM instances available, but they are currently available only in the EU. I wish there were other options outside of AWS, Azure, Google Compute and Oracle that had ARM instances. @qlp Yeah VPS solutions with ARM is something I've had my eye on too. It'd be convenient for testing things which I might want to deploy later on (at least it used to in my life of sysadmining). @vkc If you don't mind the higher latency of hopping across the pond, Hetzner Cloud ARM instances start at about $3.60/month (US is exempted from VAT, but local sales tax may be calculated) isn't too bad with 2 ARM cores, 4 GB of RAM and 40 GB of storage. It's definitely cheaper than the big cloud providers here and less clunky to deal with compared to Oracle Cloud. @qlp @vkc Linode is pretty good on that front. They let you install an SSH key during creation of your VPS and they offer a free firewall feature that lives outside your VM and can block ports before itโs ever been booted and configured. So I have SSH blocked there from the start and then use Tailscale for SSH access to my servers, set to keys only. If the baddies can get through that and then pull off an exploit, well, good job. ๐ @vkc Huh... sure would be interested in how to configure UFW / Fail2Ban (or whatever else) for when you need to SSH into servers from places that don't have static IPs etc Thanks for the heads up tho... many updates and reboots happening... "yay" for my day off. @mattwilcox I mean, nothing's foolproof, don't get me wrong. But one quick-and-dirty thing you could do is a jump server behind a VPS firewall. Linode* for instance has a cloud-level firewall and web-based terminal access, which you can lock behind your account (and thus your MFA). That kind of thing could give you access to a terminal with a static IP. I think a few VPS providers have similar features. *not sponsored but I've done appearance work for them in the past. @vkc Thanks - that's for sure something I'll look into. A lot of this is a "past my level" tbh, but I'm the only person around to do things. @vkc Lots of poignent details in this comment. It's been a while since we've had an OpenSSH one this bad. @vkc Helpfully you aren't forced to take feature updates at the same time unless you want those too, and the update interval is also configurable. https://manpages.ubuntu.com/manpages/noble/en/man8/unattended-upgrades.8.html |
@vkc dnf update -yolo