this post was submitted on 14 Aug 2023
543 points (96.4% liked)

Selfhosted

40439 readers
789 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
 

In the past two weeks I set up a new VPS, and I run a small experiment. I share the results for those who are curious.

Consider that this is a backup server only, meaning that there is no outgoing traffic unless a backup is actually to be recovered, or as we will see, because of sshd.

I initially left the standard "port 22 open to the world" for 4-5 days, I then moved sshd to a different port (still open to the whole world), and finally I closed everything and turned on tailscale. You find a visualization of the resulting egress traffic in the image. Different colors are different areas of the world. Ignore the orange spikes which were my own ssh connections to set up stuff.

Main points:

  • there were about 10 Mb of egress per day due just to sshd answering to scanners. Not to mention the cluttering of access logs.

  • moving to a non standard port is reasonably sufficient to avoid traffic and log cluttering even without IP restrictions

  • Tailscale causes a bit of traffic, negligible of course, but continuous.

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 11 points 1 year ago (2 children)

As others have already said, set up a VPN like wireguard, connect to the VPN and then SSH to the server. No need to open ports for SSH.

I do have port 22 open on my network, but it's forwarded to an SSH tarpit: https://github.com/skeeto/endlessh

[–] filister 8 points 1 year ago (1 children)

But Tailscale is Wireguard under the hood.

[–] [email protected] -3 points 1 year ago (2 children)

Yeah, but worse cause it's company owned and not really open source. Why do people use tailscale? Are you so desperate to pay money for it?

[–] art 4 points 1 year ago

It's open source and it's free to use. Anything can sound bad when you just make shit up.

[–] greavous 1 points 1 year ago

I don't pay money for it... 3 users/100 devices is free https://tailscale.com/pricing/

[–] VitoCorleone 2 points 1 year ago (4 children)

I have wireguard for other purposes but I also have ssh open on a different port. I don't much understand the argument of exchanging ssh for wireguard. In the end, we're just trading an attack vector for another.

My ssh only allows connections from my user. If I'm using password auth, I also request a 2FA.

Tail scale is also a good idea but I don't like having my control plane under someone else's control.

[–] [email protected] 5 points 1 year ago

There is quite a significant difference. An ssh server - even when running on a non-default port - is easily detectable by scanning for it. With a properly configured Wireguard setup this is not the case. As someone scanning from the outside, it is impossible to tell if there is Wireguard listening or not, since it simply won't send any reply to you if you don't have the correct key. Since it uses UDP it isn't even possible to tell if there is any service running on a given UDP port.

[–] [email protected] 4 points 1 year ago

The reason a VPN is better to expose than SSH, is the feedback.

If someone tries connecting to your SSH with the wrong key or password, they get a nice and clear permission denied. They now know that you have SSH, and which version. Which might allow them to find a vulnerability.

If someone connects to your wireguard with the wrong key, they get zero response. Exactly as if the port had not been open in the first place. They have no additional information, and they don't even know that the port was even open.

Try running your public IP through shodan.io, and see what ports and services are discovered.

[–] [email protected] 2 points 1 year ago (1 children)
[–] Cyberflunk 1 points 1 year ago
[–] [email protected] 1 points 1 year ago

If someone finds a 0day in your SSH server and goes on drive-by attacking the whole internet you're toast.

Already moving off port 22 reduces much of the risk, essentially reducing the attack surface for drive-by attacks to zero while still being susceptible to targeted attacks -- that is, still susceptible to attackers bothering to scan the whole range. Anything that makes you unscannable (VPN, portknockd, doesn't matter) mitigates that. Even state-level actors would have to be quite determined to get through that one.

Yes it's security through obscurity. Yes it's a good idea: There's a difference between hiding your unlocked front door and hiding your military-grade front door lock, one of them is silly the other isn't.