Conversation

Notices

1. Emacsen (emacsen@emacsen.net)'s status on Monday, 30-May-2022 00:25:12 UTC Emacsen

   It's been quite a few years since I was a #sys-admin professionally.

   At the time, jumphosts were used as a mechanism to get into protected systems externally.

   The alternative was a VPN.

   My concern with VPNs is complexity.

   I have a very small (<5) number of hosts to connect to.

   My issue with jumphosts are cost and additional points of failure.

   What do people think of protecting SSH over wireguard?

   What about alternatives like port knocking?

   Other alternatives?

   • Gergely Nagy 🐁 (algernon@trunk.mad-scientist.club)'s status on Monday, 30-May-2022 00:25:11 UTC Gergely Nagy 🐁

     in reply to

     @emacsen As a little fun, I also set up endlessh on port 22, so bots waste quite a bit of time trying to get there.

     Longest connection there was 4 days downloading a banner.

     Santa Claes 🇸🇪🇭🇰🎅 likes this.
   • Gergely Nagy 🐁 (algernon@trunk.mad-scientist.club)'s status on Monday, 30-May-2022 00:25:12 UTC Gergely Nagy 🐁

     in reply to

     @emacsen I put SSH on a port other than 22. Not a single attempt was made there in the past 5+ years except legit ones.

     I considered all alternatives too, even implemented some, but bots were still hitting my 22 port, and sometimes I even managed to lock myself out when I accidentally used the wrong key and fail2ban blocked me.

     So I moved the port, and realized that in my case, everything else was unnecessary. Non-standard port + key-only is sufficiently obscure.