View Single Post
Brad
Selfish Heathen
 
Join Date: May 2004
Location: Zone of Pain
 
2019-07-11, 08:29

The reason people suggest choosing a port other than 22 is that there are bots that roll through all the public address of the internet attempting to connect to devices on port 22 (among others) with known weak credentials. Moving to a high-number port that you've picked yourself means you are less likely to be targeted by these attackers. You can either change that on the SSH server itself (see /etc/ssh/ssh_config) or probably on your router by changing the externally-exposed port in the mapping.

Here are a few other things you can do to help further secure the target system, in increasing order of difficulty...

1. If you haven't already, set your server (Mac) user's login password to something long and very difficult to guess. Bots often use dictionary attacks once a machine is found, and you should have a password that is extremely unlikely to be guessed or derived from common words or phrases. If you think you have a good password, try checking it on https://haveibeenpwned.com/Passwords (this is arguably a trustworthy site, but…) or if you're justifiably paranoid about plugging your password into a web form, you can use their API to see if your password is in a known password dump by checking at a URL like https://api.pwnedpasswords.com/range/5baa6 where "5baa6" is the first five characters of the SHA-1 of your password. To get the SHA-1 of your password, you could use the Terminal command:

Code:
echo -n 'password' | shasum -a 1
…where in this case "password" is the password to check. Take the first five characters of that, and put it on the end of https://api.pwnedpasswords.com/range/. Search the resulting page for your remaining SHA-1 characters after the first five (in the case of "password" that would be "1e4c9b93f3f0682250b6cf8331b7ee68fd8") to see if it's in any known password dumps.

(haveibeenpwned/pwnedpasswords are generally more focused on dissuading password reuse on web sites and online apps, but it's good to check against their database for SSH and anything else that could take a password too.)

2. Disable ssh login for all accounts other than the one you specifically intend to use. In macOS, that's a simple matter of fiddling with the list of users in the "Allow access for" box in the Sharing pane of System Preferences.

3. Set up SSH keys and disable "password" login over SSH. This may be a little tricky if you've never done it, and it requires the SSH client on your iPhone to support this method. It works like this: on your server (Mac) you create a pair of cryptographic keys for your user, give one of those keys to your client (iPhone app), and disable the ability to log in over SSH without that key. Check to see if your app support key-based auth, and if it does, I'll find or write up some notes on how you might use it.

4. Run a program that monitors attempted access and blocks addresses that fail to enter. I currently use fail2ban on a couple of servers, and I've previously used DenyHosts. SSHGuard is another one that I've seen recently but haven't used myself yet. These tools monitor the SSH server access logs, and after a configured number of failed attempts by an external client, they do something (which varies by implementation) to block that client from further attempts. For example, on one of my systems, I have fail2ban set up to block any IP address that attempts to log in as "root" over SSH and to block any IP address that fails 5 times to connect as another username over SSH. This gives me a little leeway in case I fat-fingered my key, but it also provides strong protection against anyone dictionary-attacking if they guess my user.

The quality of this board depends on the quality of the posts. The only way to guarantee thoughtful, informative discussion is to write thoughtful, informative posts. AppleNova is not a real-time chat forum. You have time to compose messages and edit them before and after posting.
  quote