Email or username:

Password:

Forgot your password?
Veronica Explains

Happy "quickly updating all of the servers" day to those who celebrate.

43 comments
Tical

@vkc I *wish* I were doing an update rn.

Peter Mount

@vkc I've got that fun to do later when I get home

Veronica Explains

I am not a security researcher, and I don't want to sound authoritative on stuff I'm *not* an authority on.

If you run Debian like I do, this page might be useful. security-tracker.debian.org/tr

Veronica Explains

This is a friendly reminder to put a firewall in between your server and the wider internet, and no, I'm not talking about fail2ban. Which is good for lots of things, but I wouldn't rely on it alone.

Don't open SSH ports up to the entire world. Put a firewall in between your server and those who would do you harm. Lots of providers have network-based access controls, cloud firewalls, etc: use them.

Friends don't let friends run sshd out in the open. :P

James Bilsbrough

@vkc 💯 We have firewalls setup with our provider and applied to servers based on their roles.

SSH to any @crossed infrastructure is only possible via our Tailnet - no SSH exposed to the public internet and only the absolute minimum ports are open on the above firewalls.

R. L. Dane :debian: :openbsd:

@jsbilsbrough @vkc @crossed

What do y'all think about port-knocking? Is it any good?

James Bilsbrough

@RL_Dane @vkc @crossed seems like a potentially bad idea, plus it appears it relies on the local firewall, not a network level one ?

howtogeek.com/442733/how-to-us

R. L. Dane :debian: :openbsd:

@jsbilsbrough @vkc @crossed

Yeah, its not the same level of isolation, for sure.

What do you do for remote access? Tail scale? VPN?

I'm thinking in regards to home stuff.

James Bilsbrough

@RL_Dane @vkc Tailscale has worked out really well for me.

I’ve got it setup on my Pi with a subnet router for stuff that can’t run Tailscale easily - like my TrueNAS box.

That way I can access anything on the local subnet when I’m connected to Tailscale on any device
I have with me.

R. L. Dane :debian: :openbsd:

@jsbilsbrough @vkc

I'll have to find a way to combine #Yunohost with #Tailscale, because Yuno wants to have open ports on the internet, and I think that's loopy, even for home.

James Bilsbrough

@RL_Dane @vkc shout if you want any help / sanity checks!

Veronica Explains replied to R. L. Dane :debian: :openbsd:

@RL_Dane @jsbilsbrough Tailscale is fun, I haven't deployed it personally but have played around on it a bit. I'm also not a fan of port knocking and tend to VPN when away from home.

I'm ancient so I've typically used OpenVPN but I rarely use it anymore anyway, since nowadays if I'm leaving home I don't need to bring my homelab with me. :)

R. L. Dane :debian: :openbsd: replied to Veronica

@vkc @jsbilsbrough

Doesn't the VPN itself need an open port, though? Is that safer than SSH?

I was thinking of using Tailscale because (to my understanding) it doesn't need an open port.

Man, I'm really wished I had switched to NetSec in 2003. My networking knowledge is really rough. 😅

Veronica Explains replied to R. L. Dane :debian: :openbsd:

@RL_Dane @jsbilsbrough "safer" is relative to the threat, of course.

In my typical case, OpenVPN is handled itself by my firewall appliance. While it opens a port it also knows what bad traffic to scan for, without me telling it what to do. Again, I'm not a security researcher, but I tend to trust pfSense/OPNsense/etc more than myself when it comes to opening a port and watching for baddies.

And nowadays I don't even do that, because I just don't need it badly enough anymore.

Veronica Explains replied to Veronica

@RL_Dane @jsbilsbrough I should also mention that I typically remote from a static IP provided by my wireless carrier. So, in my case, the firewall knew where I'd be coming from and I could block most of the internet from getting in.

Tom replied to Veronica

@vkc @RL_Dane @jsbilsbrough You can get static IP's for mobile data?

Veronica Explains replied to Tom

@tripplehelix it's usually an option for business accounts. I've had them numerous times in the past connected with hotspot appliances. Not currently using one since I don't have as much of a need anymore.

@RL_Dane @jsbilsbrough

Tom replied to Veronica

@vkc @RL_Dane @jsbilsbrough I like the ability to see my local cameras when away, tailscale makes that simple.

Paul L

@vkc
It's also as good a reason as any to remind folk learn about UFW (or FirewallD or what else ones distro may provide).

It's one of the first steps before I start adding users or packages to a newly provisioned server.

And with Wireguard or similar (if suitable) one can have SSH limited to only the local subnet and/or tunnel networks.

Veronica Explains

@prlzx I have a ufw script written for a future video and I'm kicking myself for not having worked on that video last week!

Paul L

@vkc
Looking forward to that :)
I find the App profile feature invaluable when adding services (whether they provide a profile or the ease of making custom ones).

I do wish there was an easy way to store named arrays of addresses, network prefixes and ports/ranges that UFW could use in rules (common to many firewall distributions like vyos and pfSense).

Hâthor

@vkc For fun, I suggested our CISO to use telnet instead of ssh waiting for our entire farm to be patched.
(It's a friend, I love doing that kind of joke)

Jan

@vkc
You are certainly right.

But I have and keep SSH open to the internet because I NEED this to access a couple of services when not at home (I am a terminal guy). I have some extra security measures in place like ssh proxy, fail2ban (yes!) or public/private key instead of password login.

I wonder if (Open)SSH is that bad and the port needs to be closed - compared e.g. to some complex web services sitting on port 443.

GodEater

@rzbrk @vkc is there a reason you're not using TailScale for that use case?

Jan

@godeater
Good question. Most of my days I work on IT equipment owned and controlled by my employer. I cannot use or install a VPN client. But there is a SSH client and a "hole" in the company's firewall (port 22 outgoing is blocked) which I use to SSH into my homeserver to e.g. check my private mails or the like.

For my personal mobile devices I use wireguard when I am in spooky networks. Maybe, I should test tailscale.

@vkc

Linh Pham

@vkc One of the first things I do when I deploy a new VPS is to change the port OpenSSH listens on, apply a pre-defined firewall rule, install and set up a WireGuard tunnel, then block SSH at the firewall.

Veronica Explains

@qlp awesome! Some VPS providers do really cool things with firewalls and virtual networking. Combining that with pre-defined SSH keys for initial setup and a lot of SSH security steps becomes simply a few clicks!

Linh Pham

@vkc I've been pretty happy with DigitalOcean and Hetzner Cloud defaults for Debian and Ubuntu images. I haven't checked out Akamai/Linode, but should give them a try sometime.

I also really like that Hetzner Cloud has ARM instances available, but they are currently available only in the EU.

I wish there were other options outside of AWS, Azure, Google Compute and Oracle that had ARM instances.

Veronica Explains

@qlp Yeah VPS solutions with ARM is something I've had my eye on too. It'd be convenient for testing things which I might want to deploy later on (at least it used to in my life of sysadmining).

Linh Pham

@vkc If you don't mind the higher latency of hopping across the pond, Hetzner Cloud ARM instances start at about $3.60/month (US is exempted from VAT, but local sales tax may be calculated) isn't too bad with 2 ARM cores, 4 GB of RAM and 40 GB of storage.

It's definitely cheaper than the big cloud providers here and less clunky to deal with compared to Oracle Cloud.

David Nelson

@qlp @vkc Linode is pretty good on that front. They let you install an SSH key during creation of your VPS and they offer a free firewall feature that lives outside your VM and can block ports before it’s ever been booted and configured.

So I have SSH blocked there from the start and then use Tailscale for SSH access to my servers, set to keys only. If the baddies can get through that and then pull off an exploit, well, good job. 😄

Linh Pham

@dmnelson @vkc Yep, that's how DigitalOcean and Hetzner work as well. It's nice to have multiple lines of defense, be it at the virtual network level before it hits your droplet network stack and more fine-grained control afterwards.

Matt Wilcox

@vkc Huh... sure would be interested in how to configure UFW / Fail2Ban (or whatever else) for when you need to SSH into servers from places that don't have static IPs etc

Thanks for the heads up tho... many updates and reboots happening... "yay" for my day off.

Veronica Explains

@mattwilcox I mean, nothing's foolproof, don't get me wrong. But one quick-and-dirty thing you could do is a jump server behind a VPS firewall. Linode* for instance has a cloud-level firewall and web-based terminal access, which you can lock behind your account (and thus your MFA). That kind of thing could give you access to a terminal with a static IP. I think a few VPS providers have similar features.

*not sponsored but I've done appearance work for them in the past.

Matt Wilcox

@vkc Thanks - that's for sure something I'll look into. A lot of this is a "past my level" tbh, but I'm the only person around to do things.

kroy

@vkc Lots of poignent details in this comment.

It's been a while since we've had an OpenSSH one this bad.

news.ycombinator.com/item?id=4

Paul L

@vkc
For Debian and Ubuntu people may also want to look again at unattended-upgrades since that can automatically install security updates

Helpfully you aren't forced to take feature updates at the same time unless you want those too, and the update interval is also configurable.

manpages.ubuntu.com/manpages/n

wiki.debian.org/UnattendedUpgr

baahemian

@vkc your posts are a blessing, just kicked off updates now.

Go Up