On Wed, Apr 29, 2020 at 03:41:06PM +0000, Mel Beckman wrote:
Joe,
Is there any reason to have a root-enabled (or any) ssh server exposed to the bare Internet? Any at all? Can you name one? I can???t. That???s basically pilot error.
Mel, I think you're looking at it the wrong way. Blaming a potential victim doesn't solve the problem. I like to use a metric of "if everybody did this, would it be a good thing" often. If everybody Good thing? Didn't run SSHD on public Inet Yes Ran SSH scanners against the rest of the Inet No Ran SSH scanners against their own gear and used it to shut down unnecessary SSH Yes The problem is that you're talking about the first case, but the actual problem is the second case. If this trash is allowed to continue, there is a point where your server will just get swamped by a growing number of SSH probes. Also, exposing SSH to the Internet is, for better or for worse, the way many cloud services enable access to their cloud VM's/instances/droplets/ whatever. And, finally, yes, there are reasons to expose SSH servers to the Internet. A well-defended SSH server can do things such as allow other parties access to your server. I run a number of bastion SSH servers for various purposes. You do not need to do so in an obvious manner. That doesn't mean I'm inviting unauthorized parties to try to connect to them. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "The strain of anti-intellectualism has been a constant thread winding its way through our political and cultural life, nurtured by the false notion that democracy means that 'my ignorance is just as good as your knowledge.'"-Asimov