I use a non-standard port and they apparently broke a server in an external datacenter, analyzed history, used the same ssh command with ad-hoc port number. The box was connected paswordlessly to all my important boxes and Zas!, Bitcoin miners all over the company. On Wed, Jun 23, 2021 at 2:02 PM Jochen Bern <Jochen.Bern@xxxxxxxxx> wrote: > On 23.06.21 18:27, Saint Michael wrote: > > I use iptables, but all my servers have public IPs, for we do > > telecommunications. If my firewall is down for any reason and I don't > catch > > it, they will hack me. > > 1. You want to start doing that thing called "monitoring". > > 2. If by "firewall", you mean a unit *other* than the target machines, > from the moment it is "down", it should *NOT* allow any through traffic > to the targets (unless necessary to let an admin remote in to fix the > firewall problem). > > 3. Otherwise, i.e., all you have is the iptables on the target machines > themselves, you IMHO want to > -- have the sshd listen on a nonstandard port, > -- make the iptables, *if they are up and working*, NAT connection > attempts to port 22 to the real port, and > -- hand a "port cheat sheet" to the admins so that *they* can remote > into some machine to fix the iptables being "down". > > I shall stop here with the details, though, because if you don't know > how you get (re)hacked, you don't know whether it's done *through SSH* > in the first place, either (and, if so, whether it's by weak passwords, > an authorized key hidden someplace during the first hack, etc. etc.). > > > But Openssh in Centos 7 is so old that cannot communicate with > > newer machines, they cannot agree on protocols and ciphers, etc. > > ... out of interest, what's your reference standard there, since it > apparently surpasses even hardening guides like > https://www.ssh-audit.com/hardening_guides.html#rhel7 ... ? > > Regards, > -- > Jochen Bern > Systemingenieur > > Binect GmbH > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev@xxxxxxxxxxx > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev