I am paranoid?
-
@tonyshowoff said in I am paranoid?:
@scottalanmiller said in I am paranoid?:
Should be noted, though, that this is why I like places like Digital Ocean and Vultr who don't use root passwords at all making this so much more secure out of the box.
We use digital ocean for our staging, they do use root passwords. The first things we do after spinning up an instance is creating a new user, changing sshd_config to be only SSH2, disable root login, and set the port really high to avoid bombardment. On our actual network it's much more secure, and/or possibly elaborate, than that, but this is staging.
They will let you use root passwords, yes. But we just use SSH keys. Easier and faster.
-
I think that this sounds normal and you are just worried, doesn't sound like there is any reason to suspect that anyone has gotten into your system.
-
@scottalanmiller said in I am paranoid?:
@tonyshowoff said in I am paranoid?:
@scottalanmiller said in I am paranoid?:
Should be noted, though, that this is why I like places like Digital Ocean and Vultr who don't use root passwords at all making this so much more secure out of the box.
We use digital ocean for our staging, they do use root passwords. The first things we do after spinning up an instance is creating a new user, changing sshd_config to be only SSH2, disable root login, and set the port really high to avoid bombardment. On our actual network it's much more secure, and/or possibly elaborate, than that, but this is staging.
They will let you use root passwords, yes. But we just use SSH keys. Easier and faster.
Most definitely, we use SSH keys in production. We could use them for both, but to be honest, I can't tell you why we don't, we just don't, ... lol what a terrible reason.
-
I find them so much more convenient. I build a new box (I do all of the new box builds now after some disasters with that getting spread around) and I don't have to track logins. I just log in automatically from the Jump Box (which is whose key is there) and I can instantly run our script that creates all of the standard access for everyone. Never have to type in or write down passwords.
-
@scottalanmiller said in I am paranoid?:
@tonyshowoff said in I am paranoid?:
I'd hope you wouldn't have passwords so easy that within a few minutes of finishing the install they've guessed it. You can cut down on a hell of a lot of these by changing the SSH port, that's the first thing I always do. I don't consider it security through obscurity, because it's not so much for security as it is to just be less obvious and keep my logs cleaner.
Less obvious is the singular goal of security through obscurity That's just rewording it.
Logs cleaner makes sense.
And are the cleaner logs worth the hassle of remembering that the port has been changed?
-
@Dashrender said in I am paranoid?:
@scottalanmiller said in I am paranoid?:
@tonyshowoff said in I am paranoid?:
I'd hope you wouldn't have passwords so easy that within a few minutes of finishing the install they've guessed it. You can cut down on a hell of a lot of these by changing the SSH port, that's the first thing I always do. I don't consider it security through obscurity, because it's not so much for security as it is to just be less obvious and keep my logs cleaner.
Less obvious is the singular goal of security through obscurity That's just rewording it.
Logs cleaner makes sense.
And are the cleaner logs worth the hassle of remembering that the port has been changed?
It's not really a hard thing to remember, especially if you make it standard. If you can't remember something like that, you probably shouldn't be in IT since there are much longer numbers and more complex ones. Did you ever ask "are locally routed IP ranges for NAT worth the hassle of remembering what they are?" Come on.
Changing the SSH port is pretty common, and yes, it's worth the hassle of remembering something like making it 1122, especially because it doesn't run as root out of the box, as everything running ports <= 1024 do. It's safer, cleaner, etc.
In other words, I suggest a common standard for your company/your setups, rather than picking a random one like MSSQL likes to depending on configuration.
-
@tonyshowoff said in I am paranoid?:
@Dashrender said in I am paranoid?:
@scottalanmiller said in I am paranoid?:
@tonyshowoff said in I am paranoid?:
I'd hope you wouldn't have passwords so easy that within a few minutes of finishing the install they've guessed it. You can cut down on a hell of a lot of these by changing the SSH port, that's the first thing I always do. I don't consider it security through obscurity, because it's not so much for security as it is to just be less obvious and keep my logs cleaner.
Less obvious is the singular goal of security through obscurity That's just rewording it.
Logs cleaner makes sense.
And are the cleaner logs worth the hassle of remembering that the port has been changed?
It's not really a hard thing to remember, especially if you make it standard. If you can't remember something like that, you probably shouldn't be in IT since there are much longer numbers and more complex ones. Did you ever ask "are locally routed IP ranges for NAT worth the hassle of remembering what they are?" Come on.
No, because I don't expect someone to walk in and assume them to be anything. But if I hire a consultant to do some work, He's going to assume SSH is on port 22 and when it fails, he's going to be like - hey bro - you know SSH is broken - then he's going to think security through obscurity eh? huh, does this guy really know anything? and only after talking you for a while will he be like - ok yeah this guy knows his stuff, but damn.. that SSH port change is just weird.
-
@Dashrender said in I am paranoid?:
@tonyshowoff said in I am paranoid?:
@Dashrender said in I am paranoid?:
@scottalanmiller said in I am paranoid?:
@tonyshowoff said in I am paranoid?:
I'd hope you wouldn't have passwords so easy that within a few minutes of finishing the install they've guessed it. You can cut down on a hell of a lot of these by changing the SSH port, that's the first thing I always do. I don't consider it security through obscurity, because it's not so much for security as it is to just be less obvious and keep my logs cleaner.
Less obvious is the singular goal of security through obscurity That's just rewording it.
Logs cleaner makes sense.
And are the cleaner logs worth the hassle of remembering that the port has been changed?
It's not really a hard thing to remember, especially if you make it standard. If you can't remember something like that, you probably shouldn't be in IT since there are much longer numbers and more complex ones. Did you ever ask "are locally routed IP ranges for NAT worth the hassle of remembering what they are?" Come on.
No, because I don't expect someone to walk in and assume them to be anything. But if I hire a consultant to do some work, He's going to assume SSH is on port 22 and when it fails, he's going to be like - hey bro - you know SSH is broken - then he's going to think security through obscurity eh? huh, does this guy really know anything? and only after talking you for a while will he be like - ok yeah this guy knows his stuff, but damn.. that SSH port change is just weird.
That's what documentation is for. That's why we don't have all the same root password or whatever.
-
@Dashrender said in I am paranoid?:
@tonyshowoff said in I am paranoid?:
@Dashrender said in I am paranoid?:
@scottalanmiller said in I am paranoid?:
@tonyshowoff said in I am paranoid?:
I'd hope you wouldn't have passwords so easy that within a few minutes of finishing the install they've guessed it. You can cut down on a hell of a lot of these by changing the SSH port, that's the first thing I always do. I don't consider it security through obscurity, because it's not so much for security as it is to just be less obvious and keep my logs cleaner.
Less obvious is the singular goal of security through obscurity That's just rewording it.
Logs cleaner makes sense.
And are the cleaner logs worth the hassle of remembering that the port has been changed?
It's not really a hard thing to remember, especially if you make it standard. If you can't remember something like that, you probably shouldn't be in IT since there are much longer numbers and more complex ones. Did you ever ask "are locally routed IP ranges for NAT worth the hassle of remembering what they are?" Come on.
No, because I don't expect someone to walk in and assume them to be anything. But if I hire a consultant to do some work, He's going to assume SSH is on port 22 and when it fails, he's going to be like - hey bro - you know SSH is broken - then he's going to think security through obscurity eh? huh, does this guy really know anything? and only after talking you for a while will he be like - ok yeah this guy knows his stuff, but damn.. that SSH port change is just weird.
If you are hiring a consultant, you should be providing documentation on how to connect. I don't come into a place and just try to randomly connect to something. I connect to what the client tells me to connect to, how they tell me to connect.
I might also have an opinion about why something is non-standard, but I would not mouth it off, because, you know, I like to get paid.
-
@JaredBusch said in I am paranoid?:
@Dashrender said in I am paranoid?:
@tonyshowoff said in I am paranoid?:
@Dashrender said in I am paranoid?:
@scottalanmiller said in I am paranoid?:
@tonyshowoff said in I am paranoid?:
I'd hope you wouldn't have passwords so easy that within a few minutes of finishing the install they've guessed it. You can cut down on a hell of a lot of these by changing the SSH port, that's the first thing I always do. I don't consider it security through obscurity, because it's not so much for security as it is to just be less obvious and keep my logs cleaner.
Less obvious is the singular goal of security through obscurity That's just rewording it.
Logs cleaner makes sense.
And are the cleaner logs worth the hassle of remembering that the port has been changed?
It's not really a hard thing to remember, especially if you make it standard. If you can't remember something like that, you probably shouldn't be in IT since there are much longer numbers and more complex ones. Did you ever ask "are locally routed IP ranges for NAT worth the hassle of remembering what they are?" Come on.
No, because I don't expect someone to walk in and assume them to be anything. But if I hire a consultant to do some work, He's going to assume SSH is on port 22 and when it fails, he's going to be like - hey bro - you know SSH is broken - then he's going to think security through obscurity eh? huh, does this guy really know anything? and only after talking you for a while will he be like - ok yeah this guy knows his stuff, but damn.. that SSH port change is just weird.
If you are hiring a consultant, you should be providing documentation on how to connect. I don't come into a place and just try to randomly connect to something. I connect to what the client tells me to connect to, how they tell me to connect.
I might also have an opinion about why something is non-standard, but I would not mouth it off, because, you know, I like to get paid.
LOL - most of that was internal though processes, not verbal ones...
-
-
@BRRABill nice!