rsyslog a bad idea? Problems with ssh, openssh-server, fail2ban

Anna · (This post was last modified: 11-12-2021, 10:08 AM by Anna.)

(11-11-2021, 05:59 PM)mob Wrote: If I understand your set up well you need to connect your PP to your computer at home on a private network, likely behind your modem firewall. fail2ban is typically installed on servers reachable through a public ip 24/24 like webservers storing commercial information. So the risks are lower in your setting to be subject of brute force attacks. Doesn't mean you shouldn't be concerned about security, but your thread model is different from webservers.
If you have a router firewall + on your machines (useful if your devices are mobile), are using your sshd occasionally when your machine is on, using basic hardening (prevent root login, use key authentification + password), limit login to the private ip of the second device, apply security updates regularly, then the risks are low.
Since f2b is installed, if you have disk space it doesn't hurt to keep it.
If you are interested in system hardening you can have a look at lynis (check cysofy on github). But use workstation parameters, if I understand your setting, server mode would be a bit too much.

Thank you for this!

I do indeed only have a very basic understanding of networks and security and was not sure which access third parties might have to my phone when I use it at home via the router or ouside via the cellular network.

Lynis turned out to be a great tool and surprisingly user friendly -- I will have to spend more time on it.

What I have done so far is to
-switch to key authentification from my Laptop
-add the line ALL: ALL in the file etc/hosts.deny and ALL: <IP.ADDR.OF.MY.LAPTOP> in etc/hosts.allow (to exclude other clients)
-change "LLMNR=yes" to "no" in /etc/systemd/resolved.conf (to close port 5355 which for some reason is open by default)
-change the following entries in etc/ssh/sshd_config like so:
       Port 55673 (or some other unusual port number instead of the standard 22)
       AddressFamily inet (to exclude IPv6 adresses)
       PermitRootLogin prohibit-password (to prevent root logins)
       PasswordAuthentication no (to prevent logins without the key on my laptop)
       UsePAM no (because some Linux book told me to)
-install the uncomplicated firewall ufw and deny access from all machines except my laptop via "sudo ufw allow from <IP.ADDR.OF.MY.LAPTOP>"

Possibly Related Threads…
Thread		Author	Replies	Views	Last Post
	PureMaps and OSM Scout Server maps download	biketool	7	4,267	10-04-2024, 04:25 AM Last Post: vusra
	Stability problems with 6.1 kernel	Zebulon Walton	9	3,797	05-12-2023, 08:09 AM Last Post: zetabeta
	DNS Problems with Mobile Data	arno_nuehm	29	21,054	10-29-2022, 09:16 AM Last Post: treebeard
	Problems after Tow-Boot	Dinosaur1946	3	2,334	09-18-2022, 12:48 AM Last Post: SpaggettiCoder
	Will this battery-saving script cause problems?	rp3	1	1,631	08-28-2022, 02:00 PM Last Post: biketool
	Tow-boot problems and restoring uboot	Zebulon Walton	15	10,229	08-14-2022, 11:09 AM Last Post: shulamy
	How to enable SSH server?	jnpine	16	20,962	04-02-2022, 11:10 AM Last Post: RTP
	Browser cog - Problems on Mobian	arno_nuehm	5	4,856	02-10-2022, 03:27 PM Last Post: pothos
	ARM Microsoft Teams-problems installing	eaglebeckley	15	16,907	01-14-2022, 01:59 AM Last Post: Tazdevl
	Problems with Twinkle SIP Application, strerror_r is not available	phone123	0	1,796	07-04-2021, 12:58 PM Last Post: phone123

Login




Remember me Lost Password?

About Us