Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

> When you make that port 2222 or whatever, like so many people do, you have cut out a lot of noise... but now that compromised PHP application you had running has allowed someone to now race you every time SSH is restarted for an update or crashed or whatever to bind on that port.

This attack is mitigated quite strongly if you have selinux enforcing and aren't running networked services in unconfined domains.

Even if you have networked services that aren't confined in the default targeted policy, you can probably learn to write policy for them in a day or two, although poor documentation can make for a steep learning curve.



If you're going about that level of security (and you should be!) - why are you bothering with SSH being open to the public internet to begin with?

This is what's weird to me about this whole argument - people can come up with lots of ways to secure this, yet aren't willing to do one of the things that will provide the most security while also offering a high pass filter in blocking SSH access to the public internet. No log noise, no chance of a zero day hitting it, one key being compromised is no longer enough to result in an access breach.


In my case it's because (not counting the machines I get paid to admin, which are indeed behind a VPN) I only admin one isolated VPS, so without a dedicated bastion I feel that the benefit of a VPN is reduced. I just secured it according to the DISA STIG plus some more intrusion detection and stronger selinux confinement.

Adding a dedicated bastion would double my monthly costs, but SELinux costs me nothing if the targeted policy covers my applications, or like half an hour of my time per service if I have to write my own policy modules.

Although, I should point out I'm playing devil's advocate here because my ssh is still on port 22.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: