SFTP/SSH question

[brandon7861]

Not exactly radio related, but I want to use it with members here. Here's my current setup:

I have a linux computer running zorin os, and up until today, I had a basic SFTP set up with just my username and password between the root directory and the rest of the world. Up until now, I have only used it for transferring files between my phone and computer. I checked my log and noticed hundreds of attempts to brute force the pw every second (thankfully none successful). I know its common to see that, but this is unknown territory for me so I asked AI what to do and was told to eliminate the user/pw stuff and go with rsa keys only. So I did that. I can now make dedicated user folders and give that user their own rsa key and passphrase.

My question is whether or not a setup like this is secure enough to give random people access to one of these limited folders. My motivation is to have a private (non-cloud) way of sharing large or unallowed files (like cad drawings that must be zipped here).

How important is it to obscure my IP address? Seems there are already people trying it, so how much worse can it get? Do I need to run this through a VPN too?I have a static IP and so-called "unlimited" data and want to make use of it, I just want to be safe. Maybe the best thing would be a dedicated computer and not use my desktop, IDK.

Thanks!

 

[brandon7861]

I guess the "proper way" to do the rsa thing is to have the user generate their own public/private pair and send the public copy to me so I can add it to their server acct, that way only that user has access to the private key.

 

[TM86]

I guess the "proper way" to do the rsa thing is to have the user generate their own public/private pair and send the public copy to me so I can add it to their server acct, that way only that user has access to the private key.

That's the better way to do it. Moving to keys only is a very smart move.

You might want to look into "fail2ban" if you haven't already. Someone attempting to log in gets so many tries and then their IP is blocked from making incoming connections for a certain amount of time. The number of tries and length of block is configured by the system admin/owner. Since you've already moved to keys only there shouldn't be a problem with users accidentally getting locked out unless someone spoofs their IP address.

If you want to be "safe" put your sftp server on a dedicated box that's not your desktop. Put that on a separate LAN segment from everything else. IE, your desktop on 192.168.1.x, the sftp server on 192.168.2.x. Firewall the hell out of that LAN segment so that only the absolutely necessary ports can go in or out. If something appears to be broken, find out what ports it needs, and at what IP addresses, and only allow those specific connections. The idea being that the server can't reach into your regular network on some arbitrary port and connect to stuff it shouldn't be connecting to. Which could happen if it was compromised.

Another thing you could do is to set up a server on one of the cloud providers that has a "free" tier. Set that up with a ssh tunnel back to your box and advertise the cloud hosted box as the publicly accessible address. The danger being that the provider may notice if there's a lot of traffic and want to start charging. But at least you're not paying for cloud storage in the meantime.

To be truly safe, you should seal the sftp server in 6 cubic feet of concrete and drop it in the Marianas Trench, but its hard to get data off of it that way.

Now, if you want to see what can't be unseen, hit WhatIsMyIP.com to get your public address if you don't already have it. Then drop that IP in the search bar on shodan.io to see what the internet thinks is exposed.

 

[brandon7861]

I did set up fail2ban. I even manually entered a couple of the incoming addresses. Definitely going to move it over to a dedicated computer soon. I have to find one first. I do know my IP, but I will go try that shodan site now. I don't think my ISP cares what I do with it. I had to upgrade to business to get the static IP. And man do I feel stupid. When they sold me 300 down and 30 up, I thought that was MB/s, no, it's Mb/s. The fastest my friend could download from me was about 3.7MB/s and I thought I was getting cheated until I did another speed test and saw the little b. I honestly think the lady said megabyte, not bit. Fast enough for me I guess.

 

[enine]

A raspberry pi make a nice small cheap dedicated system.
And people will still try to brute force passwords even if you don't use them, they just let their script run.
I posted this on a forum just yesterday, I don't have a wordpress site yet they are trying it and useless sites like bing are referring people to it.

client 176.65.132.171:54584] script '/srv/www/htdocs/wp-login.php' not found or unable to stat, referer: https://www.bing.com/

 

[TM86]

If you've already set up fail2ban then you're ahead of most people. Which tells me you've probably already set up sftp jails to isolate your users from each other. Just thought I'd mention it anyways in case you hadn't, and for the lurkers.

 

[brandon7861]

If you've already set up fail2ban then you're ahead of most people. Which tells me you've probably already set up sftp jails to isolate your users from each other. Just thought I'd mention it anyways in case you hadn't, and for the lurkers.

Yes, I did get that set up. It started out where a user would start in their folder but could click back to root, but I fixed that and now they can only see their folder.

I was thinking about trying to set up the https site with a generic index page so I can provide download links without using the ftp side but I have not set it up yet.

Thanks!

edit: I admit though, I just did a basic setup for fail2ban and ai helped, so I am not sure it is configured right.

 

[TM86]

edit: I admit though, I just did a basic setup for fail2ban and ai helped, so I am not sure it is configured right.

It should be logging anything that gets the stick. I don't recall if it goes in /var/log/fail2ban.log or just gets dumped into /var/log/messages by default. Anyways, if the logs are showing script kiddie IPs being banned it's working. Everything after that is just adjusting it to your preferences.

 

[brandon7861]

Ill check those logs when I get home and see what they show. Thanks!

According to chatGPT, as long as I use key only and have password auth off (it had me add two lines to a file for that), it says all attempts to brute force will fail. Its too bad that these attempts will keep my drive in continuous operation having to log this stuff. Glad it does though.

 

[19wrc333]

Ill check those logs when I get home and see what they show. Thanks!

According to chatGPT, as long as I use key only and have password auth off (it had me add two lines to a file for that), it says all attempts to brute force will fail. Its too bad that these attempts will keep my drive in continuous operation having to log this stuff. Glad it does though.

It's easy to test if password auth is off. Just ssh from any machine to your machine that is hosting the openssh server without any additional parameters.
eg.
ssh <ip.of.your.machine>

If it immediately breaks the connection with a message along the lines of "permission denied (public key)" then password authentication is disabled.
If it comes back with a prompt for a login name then password auth is still enabled.

Have had this setup for many years (decades?) on all my internet facing servers and I don't worry about brute force attacks at all. Sure I've also got additional protection similar to fail2ban on critical hosts, but also run plenty of servers without that additional layer of protection.

 

[brandon7861]

I'll try that too, thanks!