Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Anecdotally, changing the ssh port on a very low-budget VPS is worth the effort because the CPU time eaten by responding to the ssh bots can be noticable.


This has been my experience as well. I remember having a VPS with digital ocean a long time ago and it was getting hammered badly with bots. Changed the ports, made pubkey authentication only and installed fail2ban for future pesky bots did the trick for me.

To be honest I don't think the people controlling those bots want to deal with us that makes it harder for them to gain access. Instead why not happily hammer away everyone's else port 22 with the bare minimum configuration? Those who enhance the security were never the targeted audience to begin with.


> Those who enhance the security were never the targeted audience to begin with.

This is pretty insightful. Statistically, attackers are probably mostly looking for badly configured machines which are easy to exploit rather than hardened systems that take a long time to penetrate.

State actors and obsessed attackers are different, of course. But statistically even taking care of using the simplest precautions keeps one out of the reach of the broad majority of such attacks.


I'm more familiar with AWS. There I just firewall SSH to just my IP (with a script to change it for the laptop case, or use mosh), and thus spend no CPU time responding to ssh bots.

Do VPS providers offer some sort of similar firewall service outside your instance?


I don't think low budget vps providers typically allow this. That said, fail2ban works OK, as does manual iptables (now nftables) - unfortunately /etc/hosts_allow is deprecated[1].

If you don't know that you'll be able to arrive from an IP or subnet - another option would be port knocking. (eg: knockd). Although, I'd try to avoid adding more code and logic to the mix - that goes for both fail2ban and knockd.

[1] ed: Note, the rationale for this is sound: the firewall (pf or nftables) is very good at filtering on IP - so better avoid introducing another layer of software that does the same thing.


You can't create/edit firewall rules via apis in some vps providers?


By "low budget" i read"cheaper than Digital Ocean". I'm not sure how many of them let you specify firewall rules outside of/"in front of" your vm.


You still get hit by bots, AT least some of them. If you are really concerned you want to use port knocking.


That's not something I had considered - I suppose the handshake does take up some cpu.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: