Hello,
On Mon, Apr 15, 2024 at 09:58:03PM +0100, Andy Bennett via BitFolk Users wrote:
It would be similar-but-different to the inconvenience
of running sshd on a
weird port (which I do for my machine, but is generally unacceptable for a
public service for lots of reasons to numerous to include here).
It's also not very effective any more. For more than 10 years I have
run SSH on a different port, and it still gets found almost
immediately. People just routinely scan all ports and look for SSH
banners. The volume of spam connections is less but it's not hugely
less.
Do you know how available different options such as
VPNs, etc are from
behind common firewall and NAT configurations?
I don't know, but I don't want to spend time on thinking about VPNs
for customer use because I just don't think the people can agree on
VPN software to install and bother to use.
People use VPNs. I use VPNs. But would even I install a VPN product
that wasn't my chosen one? Probably not.
Do you have a feel for whether people in general are
starting to think that
ssh is not suitable for direct exposure to the Internet? If this feeling is
mounting then it's probably best to follow suit.
It has always been best practice to put SSH behind a VPN or at least
some bastion jump host, for this exact reason. But in situations
where the user base is potentially "everyone from everywhere",
companies (like GitHub) don't do that for obvious reasons.
Maybe this is still one of those situations.
Do you have some more detail about the threat model
you're trying to protect
against?
As said, a zero-day in SSH, which is one of the few services that is
network exposed on the hypervisors.
(Just an idea for discussion; not really fully formed
yet)
Depending on the threat model, perhaps it's enough to provide an ssh
endpoint that simply leads to a shell or environment that only allows a
further ssh into the regular Xen Shells?
Yes as a half measure we could go to a bastion host arrangement.
You can push the ssh agent through that so keys would still work for
a seamless single connection, although that is slightly more risky
of course.
Thanks,
Andy
--
https://bitfolk.com/ -- No-nonsense VPS hosting