🐈‍⬛David SommersethMay 25

I always remap my sshd daemon to listen to a non-standard port, to reduce a lot of noise. Which has worked fine for years. But every now and then there are attempts. All the #Linux kernel flaws found lately has made remote login attempts more interesting for attackers. And they scan much more broadly now than just port 22.

And that's why my second line of defence is to disallow remote root login - and also make use of the AllowGroups feature in sshd_config. Users granted remote access must be member of a specific group. And root is also excluded from this group.

That pays off these days. And this is a nice filter match for #fail2ban and similar tools

https://termbin.com/0cf6

I have 293 login attempts on "random users" since May 21. And 259 attempts as root.

#infosec #ssh #sshd #systemhardening #kernel

Show threadSam VolatileMay 18

OK, normally I have my shit wired together, but this bastard is getting to me.

The requirement is for 'phishing-resistant' second factor. That rules out all of the six-digit code apps - it is too easy apparently to get someone to read out their codes to an attacker.

Again, IDK, but apparently 'phishing-resistant' is the next Big Thing. My personal feeling? We are chasing our shadows. Unless I am the last alive Iranian nuclear bloke, my login is as secure as I can be bothered to make it, and I am bound to be disappointed by a weakness at some point in the near or far future. Phishing isn't on the agenda.

Life.

I carry a seemingly-fine cryptographic store about with me most days and ludicrously call it my 'phone'. It can sign stuff, wrangle certificates, store passwords, read faces and fingerprints and QRcodes and NFC tags. Heaps of useful 'security' stuff. I wouldn't call the software environment _secure_ at all, but ... IDK, people seem happy enough with it. Anything for an easy life. Row with the flow.

So I search for:
"google passkey login with ssh"
My god, whatalottasloppa comes back. A gattling gun of half-arsery, cant and junk advice.
Then "MS hello for business login ssh". Christ almighty. Much worse. Worse again.
Then "Apple ID login to ssh". At least that seems to be a simple: "no". A relief really.

Someone in the know please: can I set up my sshd to use my phone-based passkey as a; primary, secondary or even the complete, login?

#TOTP #HOTP #passkey #sshd #key #certificates #PSK #login #ssh #linux #pam #openssh

Show threadEddy JanssonMay 3
The "magic" that makes this works seems to be pointing 'IdentityFile' to the public key, not the private. #sshd #ssh
Diego Córdoba 🇦🇷Apr 28

Ya tengo listo el guión de un nuevo video para el canal de #YouTube de #juncotic, para el curso de Hardening y el de SSH!

Continuamos con lo que introduje en el video anterior: 2fa con TOTP en SSH usando google-authenticator y PAM.

Esta vez: mecanismos de recuperación si se nos cayó el celular/móvil al agua 😅

¿No viste el video anterior?

Te dejo el link para que te pongás al día 👇

https://youtu.be/QNeJ4a7powo

#2fa #totp #ssh #sshd #googleauthenticator #auth #pam #linux #infosec #ciberseguridad

Doble factor en SSH: Configura TOTP como 2FA en Linux (Paso a Paso)

YouTube
Diego Córdoba 🇦🇷Feb 16

Claramente no todo se puede hacer con #SSH 😜

Acá probando "sudo sshd -t" para verificar la sintaxis del archivo de configuración del servidor.

Se viene nuevo contenido en #JuncoTIC, se nota? 😉

#gnu #linux #openssh #sshd #humor #lol

jesterchen42Feb 16

Once there was https://blog.stribik.technology/2015/01/04/secure-secure-shell.html, which was fine. Now there is https://infosec.mozilla.org/guidelines/openssh, which doesn't include a date of the last update* (except perhaps the copyright 2017).

Where can I find current recommended SSH settings, with post-quantum and stuff?

* Oh, how I loathe websites that don't add the dates of creation and/or last update!

#ssh #sshd #sshd_config

Secure Secure Shell

No ads, no tracking. Ever.<br/> <strong>blog.stribik.technology</strong> is completely static, without cookies or javascript.<br/> <strong>comments.stribik.technology</strong> uses javascript and local storage, it's loaded when you click

KIP/JΛYCHØU ⁂   Feb 4

找了个时间优化了服务器便利性和“安全性”

1. Termius访问
Termius生成三个密钥分配给三台服务器
export到~/.ssh/authorized_keys
检查authorized_keys内容正确
测试密钥&无密码登录

2. 配置ufw
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow http
sudo ufw allow https
sudo ufw allow 特殊端口/tcp
sudo ufw enable
sudo ufw status verbose

3. 配置fail2ban
sudo nano /etc/fail2ban/jail.local
[DEFAULT]
bantime = 1h
findtime = 10m
maxretry = 5
banaction = ufw
ignoreip = 127.0.0.1/8 ::1 X Y Z
[sshd]
enabled = true
port = 特殊端口
backend = systemd

sudo apt update && sudo apt install python3-systemd -y
sudo systemctl enable --now fail2ban
sudo systemctl restart fail2ban
sudo fail2ban-client status sshd

3. 配置sshd_config
sudo nano /etc/ssh/sshd_config
Port 特殊端口
PermitRootLogin no
PubkeyAuthentication yes
PasswordAuthentication no

sudo sshd -t
sudo systemctl restart ssh

4. 更改hostname
sudo hostnamectl set-hostname xxx
sudo nano /etc/hosts
修改127.0.1.1 后主机名为xxx
hostnamectl status

5. 配置互通
ssh-keygen -t ed25519 -C "from_$(hostname)" -N "" -f ~/.ssh/id_ed25519
cat id_ed25519.pub
nano ~/.ssh/authorized_keys
一共三行,Termius pub、其他两台服务器的pub

6. 配置Alias
nano ~/.bashrc
alias nc='ssh -p 特殊端口 jay@ipX'
alias cc='ssh -p 特殊端口 jay@ipY'
alias hd='ssh -p 特殊端口 jay@ipZ'
source ~/.bashrc
nc (netcup)
cc (clawcloud)
hd (hostdzire)
或者
nano ~/.ssh/config
Host nc
HostName X
Port 特殊端口
User jay
Host cc
HostName Y
Port 特殊端口
User jay
Host hd
HostName Z
Port 特殊端口
User jay
ssh nc
ssh cc
ssh hd
还可以加上“ProxyJump cc”连 xxx 之前先跳到 cc

#ssh #sshd #pub #alias #ProxyJump #authorized_keys #termius #ufw #fail2ban

Show threadDendrobatus AzureusDec 4

As you can see the build process is smooth, the execution is blazingly fast. What more could I ask for?

https://smolbsd.org/

#programming #technology #BSD #netBSD #metaOS #microVM #networking #qemu #host #bmake #curl #sshd #Linux

Dendrobatus AzureusDec 4

The mighty world of BSD

Playing with again smolBSD, a fantastic metaOS system that I talked about a few weeks ago.
I'm a newbie, a greenhorn, when it comes to meta-operating systems built on top of NetBSD.

I am very eager to learn by doing, making mistakes in the process, correcting and feel the warmth of the BSD community, who is happy to correct, esp when I show that I read the docs after making the mistakes

The journey is fantastic, the learning process is fun. microVM's are amazing. I've registered 11ms boot times on this small machine with a few CPU cores (and 40GB RAM). The fun is endless

#programming #technology #BSD #netBSD #metaOS #microVM #networking #qemu #host #bmake #curl #sshd #Linux

https://smolbsd.org/

donNov 24, 2025
When configuring #sshd is there a security disadvantage of explicitly allowing pty if the command is restricted. Usecase: a restricted application for user interaction. Think TUI or git shell.