SSH from the point of view of someone who doesn't give a damn

Mary Dean

The worst part about managing your own blog is that you will be forced against your will to learn about web security. It's the biggest wall you will run into, not just technically, but emotionally. Problem after problem will come at you -- connecting to your server, transferring stuff to your server, figuring out what a "certificate" is, trying to stop people from sneaking through your "ports," being forced to create different "users" even though they are all just you, having your emails rejected as spam, the list goes on and on.

I vividly remember the existential despair I felt when I logged into my first "droplet" server, maybe a week after I had created it.

login as: root


Welcome to Ubuntu... 60 packages can be updated.

There were 672,974 failed login attempts since the last successful login.

Wait, what?

Is that the Russians?

How do they even know that I exist? What will they do if they break in? Would I even know if they did? Why do they care about my collection of Zone diet recipes and scanned photos of my Dad's relatives? Am I supposed to DO something, or do I just calmly proceed with building my blog while surrounded by hordes of bots all trying to guess my password?

If you google "Ubuntu failed login attempts" you will find tons of advice, but it is hard to wrap your brain around, or to know what exactly you need to DO.

Disable SSH login for root.

Disable password-based authentication altogether.

Passwords with high entropy are unlikely to be brute-forced.

Run the SSH server on another port than 22.

Bad idea for usability

Use port knocking, so the SSH port is only visible to hosts from which sequence of knocks is received.

But you need a dedicated client program to send the knock sequence.

And what if you're on some network which blocks outgoing traffic to some of the port numbers which you've chosen in your port knock sequence?

Security through obscurity is the wrong approach.

The argument that port knocking is security by obscurity is sheer twaddle because it implies that port knocking is security in the first place, which it isn't.

Moving SSH to a random TCP port adds roughly 16 bits worth of entropy.

No, to get 16 bits of extra entropy, you would need to run 65,000 fake SSH servers alongside it.

And that's still security through obscurity.

Be sure to block all IPs that have been reported to the blacklist in the last 48 hours, and report all attackers to the blacklist.

Require a keyfile to log in.

Allow SSH connections only from a whitelist (beware not to lock yourself out!).

Use Fail2ban to to keep the wolves at bay.

Use web knocking, a tiny application under a URL that only you know, such that if you browse to that URL and put some correct value into a form and submit it, it will open up the port.

For God's sake, I just wanted to build a website to share my breakfast noodle recipes.

You try to follow along, you really do. You think: "OK, maybe I should look into getting a web knocker."

Meanwhile, your friends say, "See? That's why I use Wordpress." Or: "It only took me an hour to set up my website on Wix." Or: "Why you don't just use Facebook to share your stuff?"

And you try to remember WHY you wanted your own blog space that was totally under your control.

We'll talk about that some other time. For now, let's talk about SSH.

There are two key ideas buried in the conversation that I illustrated above, with help from this guy who put together a handy page of pure CSS speech bubbles for the rest of us to use and enjoy.

Actually, can I pause to say something about that?

(What I just typed to create that thought bubble:)

<div class="oval-thought">Actually, can I pause to say something about that?</div>

That guy, Nicolas Gallagher, wrote that post in March of 2010. It is now March of 2018, eight years later. Yet it is still there, receiving visitors. Any time you search for the term, "css speech bubble," (and who doesn't occassionally need a good speech bubble?) it will be at the top of the list. The page has no ads. Mr. Gallagher just decided to gift us with a beautifully organized presentation of different, easy ways to make speech bubbles.

It's a good example of what I'm talking about when I complain that a huge portion of our population has become trapped in a web-world where the only things they see are the NEW the things that were published TODAY, the LATEST technology, etc. The real internet is a place where time stands still.

It also makes me laugh because of the way our old-fashioned vocabulary has been twisted to suit the current environment. Guys like Nicholas are referred to as "software engineers." To people in my generation, "engineer" implies a guy a who designs jet engines or skyscrapers. To people in the next-oldest generation, it connotes a guy who drives a train. But today's "engineer" being a guy who designs speech bubbles and works out the calculations for having triangles point in various ways, or quotes floating in space nearby.

No, Donny, these men are nihilists, there’s nothing to be afraid of.

Walter Sobchak