jgreco at ns.sol.net
Wed Apr 29 15:54:11 UTC 2020
On Wed, Apr 29, 2020 at 03:41:06PM +0000, Mel Beckman wrote:
> Is there any reason to have a root-enabled (or any) ssh server
> exposed to the bare Internet? Any at all? Can you name one?
> I can???t. That???s basically pilot error.
I think you're looking at it the wrong way. Blaming a potential victim
doesn't solve the problem.
I like to use a metric of "if everybody did this, would it be a good
If everybody Good thing?
Didn't run SSHD on public Inet Yes
Ran SSH scanners against the rest of the Inet No
Ran SSH scanners against their own gear and
used it to shut down unnecessary SSH Yes
The problem is that you're talking about the first case, but the actual
problem is the second case. If this trash is allowed to continue, there
is a point where your server will just get swamped by a growing number
of SSH probes.
Also, exposing SSH to the Internet is, for better or for worse, the way
many cloud services enable access to their cloud VM's/instances/droplets/
And, finally, yes, there are reasons to expose SSH servers to the
Internet. A well-defended SSH server can do things such as allow other
parties access to your server. I run a number of bastion SSH servers
for various purposes. You do not need to do so in an obvious manner.
That doesn't mean I'm inviting unauthorized parties to try to connect
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
"The strain of anti-intellectualism has been a constant thread winding its way
through our political and cultural life, nurtured by the false notion that
democracy means that 'my ignorance is just as good as your knowledge.'"-Asimov
More information about the NANOG