@tonyshowoff said in Hello Mr Chinese IP based hacker:

That's why we set any WAN-fancing SSH port to something obscenely high like 41022, not for "security" but because of the logs. In fact, all of our sshd services run following that pattern, as does our internal HTTP(S) servers but the load balancers take in 80/443.

This prevents as many services as possible from running as root, which anything running port < 1024 does. I don't think most people even know this. At the very least if there's a NAT in play, one can always set ssh and web services ports much higher and just translate the ports to avoid the same issue.

(I know there are some work arounds like setcap on Linux, but in general this is the default behaviour on most machines)

For some reason this made me think of The Venture Bros, Hunter Gather says:

And we want your sad ass undercover agents to stop trying to infiltrate our group. Frankly we're tired of killing them and we can't afford the body bags!

Useful piece of information. Thanks!

@johnhooks said in ssh_exchange_identification: Connection closed by remote host:

Also a good way to use a web management interface without opening up http and https.

I do that a bit.

I first heard about tmux here at ML. I've gotten to where I like it better than screen most of the time.

That's a good question... when does chrooting make more sense than containers today?

Storage is one. Lots of people use chroot jails for storage purposes. Containers are heavier than chrooting which has effectively no impact on any resources.

@wrx7m said:

I restarted the SSH service but I don't know if it was necessary.
sudo service ssh restart

It is.

@Kelly said in OpenSSH installed, but cannot use SCP:

Ok, I can now copy. Thanks for all the help. I have learned a lot in just this one issue.

Cool, just realized that this was solved. So marking it as such. Thanks.

Since the images disappeared, I added them as code.

Also, Identity Management (FreeIPA) makes it really easy to store public keys in LDAP so any system joined to IdM can verify the key.

@BRRABill said in Accessing a Linux Server via SSH:

@scottalanmiller said

The default of what is to copy, paste and hit return?

PUTTY.

Be default when you right click something to copy, it copies it and pastes it and then hits return.

I guess perhaps just highlighting it copies it? I like the Windows method.

No it does not. I thought maybe you were thinking this but did not want to imply it. That's a misunderstanding of what is happening. It only does that IF your Windows environment and your actions are copying a carriage return into the clipboard (which Windows does by default.) This has nothing to do with PuTTY and is all about your Windows desktop AND it only does this if YOU make it happen, it does not do that for the rest of us. We don't copy the carriage return into the clipboard unless we want it. Windows makes this easy to control as a feature, but it is an invisible feature of the Windows environment so if you are not a Windows power user, you might not be aware that there is an interface to it that you are misusing.

PuTTY simply does what Windows tells it to do, PuTTY has no default behaviour like you are imagining.

@scottalanmiller You should also include cloud-init

https://cloudinit.readthedocs.org/en/latest/

@dafyre said:

FTA, this looks like it only affects the SSH clients... Right?

"The problem involved a bug that exposed a memory leak to a malicious SSH server," Cox explained. "Because the data in question didn't cross any trust or execution boundaries, the malicious server could get the client to possibly leak sensitive authentication key data."

I think it's both. I ran my update playbook and everything was patched within about 3 minutes 🙂

LUKS will work great for that. We used it in big finance to deal with stuff like government bank account details.

@Dashrender said:

On the Windows side we have the free version of Unitrends and Veeam for VMs, but I'm not sure of one for bare metal.

Those can become coupled if you share accounts. So it is not a panacea.

I use Filezilla. My dad uses WinSCP. Six of one, half dozen of the other. I think WinSCP is more secure, some people have complained about security design choices in Filezilla but nothing I'm worried about.

Yeah, you can get that to be pretty simple with a little work (and keys.)

@anonymous said:

Nice Guide. Can you please add a link to the Jumpbox guide, I missed it.....

http://mangolassi.it/topic/6143/linux-lab-project-building-a-linux-jump-box

Decent guide for this from NIST:

http://csrc.nist.gov/publications/drafts/nistir-7966/nistir_7966_draft.pdf

@JaredBusch said in Linux Lab Project: Building a Linux Jump Box:

@scottalanmiller said in Linux Lab Project: Building a Linux Jump Box:

First you would create users and SSH keys and then deploy them to the other boxes that you wish to connect to. This is the core of what makes the Jump Box a Jump Box. This is standard SSH key setup, nothing unique to a Jump Box.

Did you ever make a good write up on creating users and SSH keys? If so, I cannot find it.

I mean, I know how to make and use keys in general. But detail here would be good.

Write up for creating the users on the jump box and getting their SSH keys. Write up for pushing users and keys to other systems that said jump box will be allowing access. Write up for control of said access. Bob and Jill have access to Jump Box. Bob has Access to servers 1 & 2. Jill has access to server 2 & 3.

I know that @scottalanmiller has mentioned in another thread that he has a script to push this all out (question 2). I can only assume that the script has some controls to tell you which server so shove the key and user logon to (question 3).

@Dashrender said:

Why is a VPN a security risk? because they give you (generally) full access to the network?

Correct. They create unnecessary exposure. Direct access to all hosts (typically) for all protocols and ports. The protections of firewalls and proxies are bypassed. They are generally the least secure form of access because they are the laziest - just expose everything and hope for the best.

As the site mentions: "autossh comes in handy when you want to set up reverse SSH tunnels or mount remote folders over SSH. Essentially in any situation where persistent SSH sessions are required, autossh can be useful."