On 23.06.21 18:27, Saint Michael wrote: > I use iptables, but all my servers have public IPs, for we do > telecommunications. If my firewall is down for any reason and I don't catch > it, they will hack me. 1. You want to start doing that thing called "monitoring". 2. If by "firewall", you mean a unit *other* than the target machines, from the moment it is "down", it should *NOT* allow any through traffic to the targets (unless necessary to let an admin remote in to fix the firewall problem). 3. Otherwise, i.e., all you have is the iptables on the target machines themselves, you IMHO want to -- have the sshd listen on a nonstandard port, -- make the iptables, *if they are up and working*, NAT connection attempts to port 22 to the real port, and -- hand a "port cheat sheet" to the admins so that *they* can remote into some machine to fix the iptables being "down". I shall stop here with the details, though, because if you don't know how you get (re)hacked, you don't know whether it's done *through SSH* in the first place, either (and, if so, whether it's by weak passwords, an authorized key hidden someplace during the first hack, etc. etc.). > But Openssh in Centos 7 is so old that cannot communicate with > newer machines, they cannot agree on protocols and ciphers, etc. ... out of interest, what's your reference standard there, since it apparently surpasses even hardening guides like https://www.ssh-audit.com/hardening_guides.html#rhel7 ... ? Regards, -- Jochen Bern Systemingenieur Binect GmbH
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
