this post was submitted on 10 Feb 2025
751 points (99.3% liked)

linuxmemes

22397 readers
2925 users here now

Hint: :q!

Sister communities:

Community rules (click to expand)

1. Follow the site-wide rules

2. Be civil
  • Understand the difference between a joke and an insult.
  • Do not harrass or attack users for any reason. This includes using blanket terms, like "every user of thing".
  • Don't get baited into back-and-forth insults. We are not animals.
  • Leave remarks of "peasantry" to the PCMR community. If you dislike an OS/service/application, attack the thing you dislike, not the individuals who use it. Some people may not have a choice.
  • Bigotry will not be tolerated.
  • These rules are somewhat loosened when the subject is a public figure. Still, do not attack their person or incite harrassment.
    • 3. Post Linux-related content
  • Including Unix and BSD.
  • Non-Linux content is acceptable as long as it makes a reference to Linux. For example, the poorly made mockery of sudo in Windows.
  • No porn. Even if you watch it on a Linux machine.
    • 4. No recent reposts
  • Everybody uses Arch btw, can't quit Vim, <loves/tolerates/hates> systemd, and wants to interject for a moment. You can stop now.
    • 5. πŸ‡¬πŸ‡§ Language/язык/Sprache
  • This is primarily an English-speaking community. πŸ‡¬πŸ‡§πŸ‡¦πŸ‡ΊπŸ‡ΊπŸ‡Έ
  • Comments written in other languages are allowed.
  • The substance of a post should be comprehensible for people who only speak English.
  • Titles and post bodies written in other languages will be allowed, but only as long as the above rule is observed.
    • Β 

    Please report posts and comments that break these rules!

    Important: never execute code or follow advice that you don't understand or can't verify, especially here. The word of the day is credibility. This is a meme community -- even the most helpful comments might just be shitposts that can damage your system. Be aware, be smart, don't remove France.

    founded 2 years ago
    MODERATORS
    poopsmith@lemmy.world
    zephyr@lemmy.world
    rtxn@lemmy.world
    751
    I didn't know you were supposed to disable root user... (linux.community)
    submitted 1 day ago by Tablaste@linux.community to c/linuxmemes@lemmy.world
    153 comments fedilink hide all child comments
     

    Background: 15 years of experience in software and apparently spoiled because it was already set up correctly.

    Been practicing doing my own servers, published a test site and 24 hours later, root was compromised.

    Rolled back to the backup before I made it public and now I have a security checklist.

    you are viewing a single comment's thread
    view the rest of the comments
    [–] troed@fedia.io 30 points 1 day ago (1 children)

    It's perfectly safe to run SSH on port 22 towards the open Internet with public key authentication only.

    [–] designatedhacker@lemm.ee 4 points 1 day ago (1 children)

    https://nvd.nist.gov/vuln/detail/cve-2024-6409 RCE as root without authentication via Open SSH. If they've got a connection, that's more than nothing and sometimes it's enough.

    [–] troed@fedia.io 23 points 1 day ago (2 children)

    That attack vector is exactly the same towards a VPN.

    [–] SpaceCadet@feddit.nl 2 points 10 hours ago (1 children)

    A VPN like Wireguard can run over UDP on a random port which is nearly impossible to discover for an attacker. Unlike sshd, it won't even show up in a portscan.

    This was a specific design goal of Wireguard by the way (see "5.1 Silence is a virtue" here https://www.wireguard.com/papers/wireguard.pdf)

    It also acts as a catch-all for all your services, so instead of worrying about the security of all the different sshds or other services you may have exposed, you just have to keep your vpn up to date.

    [–] troed@fedia.io 1 points 10 hours ago (1 children)

    Yeah I don't do security via obscurity :D I agree you need to keep your Internet facing services up to date.

    (No need to educate me on Wireguard, I use it. My day job is slightly relevant to the discussion)

    [–] SpaceCadet@feddit.nl 1 points 10 hours ago (1 children)

    Yeah I don’t do security via obscurity

    Another one who misunderstands that phrase... Yes, obscurity shouldn't be your only line of defense, but limiting discoverability of your systems should be an integral part of your security strategy.

    [–] troed@fedia.io 1 points 9 hours ago

    There's no difference to the work I need to do to secure an open SSHd vs an open WireGuard server. None.

    Yes I harden, and penetrate, systems for a living. If your systems need remote access there is no standard (neither in fintech or military) that classifies SSHd as being "worse" than a VPN.

    [–] designatedhacker@lemm.ee 1 points 9 hours ago (1 children)

    Are you talking a VPN running on the same box as the service? UDP VPN would help as another mentioned, but doesn't really add isolation.

    If your vpn box is standalone, then getting root is bad but just step one. They have to own the VPN to be able to even do more recon then try SSH.

    Defense in depth. They didn't immediately get server root and application access in one step. Now they have to connect to a patched, cert only, etc SSH server. Just looking for it could trip into some honeypot. They had to find the VPN host as well which wasn't the same as the box they were targeting. That would shut down 99% of the automated/script kiddie shit finding the main service then scanning that IP.

    You can't argue that one step to own the system is more secure than two separate pieces of updated software on separate boxes.

    [–] troed@fedia.io 1 points 9 hours ago

    Why is your VPN jump box better than an SSH jump box?