Port 22

Post Reply
Ec3G
OpenVpn Newbie
Posts: 2
Joined: Wed Jul 26, 2017 1:05 pm

Port 22

Post by Ec3G » Wed Jul 26, 2017 1:07 pm

Hello,

When I connect to my vpn server (openvpn access server) and I do a iot shodan scan, port 22 is open. Is this normal?

novaflash
OpenVPN Expert
Posts: 441
Joined: Fri Apr 13, 2012 8:43 pm

Re: Port 22

Post by novaflash » Wed Jul 26, 2017 2:12 pm

Port 22 TCP is the default SSH port. It's normal that this is open. If you don't want it, then disable the SSH service. Please note that this makes it impossible to log on to the server via SSH/PuTTY then, so be sure you have access to the console if you need access to the server without SSH!

Ec3G
OpenVpn Newbie
Posts: 2
Joined: Wed Jul 26, 2017 1:05 pm

Re: Port 22

Post by Ec3G » Wed Jul 26, 2017 2:14 pm

Thank you for your answer

gotoplus
OpenVpn Newbie
Posts: 1
Joined: Tue Oct 17, 2017 12:22 am

Re: Port 22

Post by gotoplus » Tue Oct 17, 2017 12:29 am

Can I expand this question? I want to be able to use SSH but secure it in the firewall. I have been trying unsuccessfully to either move SSH to another port or use IPTables to secure port 22, on all my servers I have IPTales set up to only allow SSH from certain IP addresses.
I get thousands of brut force attempts on my VPN server so leaving port 22 open is just plain risky but OpenVPN seems to control the IPTables and doesn't allow me to secure port 22.

novaflash
OpenVPN Expert
Posts: 441
Joined: Fri Apr 13, 2012 8:43 pm

Re: Port 22

Post by novaflash » Tue Oct 17, 2017 7:08 am

Here are my personal recommendations that just so happen to make a hell of a lot of sense.

Set up key based authentication instead of only password based authentication.
Deny access for the root account, but log on with a secondary account that you can use to sudo up (gain root privileges).
Install fail2ban. This monitors repeated bruteforce attempts and blocks them automatically.
Run your systems behind a real firewall. Block it there if you want to.
Changing port is security through obscurity and doesn't really help much if at all.

luckman212
OpenVPN User
Posts: 28
Joined: Fri Jun 10, 2011 12:03 am

Re: Port 22

Post by luckman212 » Thu Oct 19, 2017 4:15 pm

Is it enough to simply install fail2ban using

Code: Select all

yum install fail2ban
or is there some additional configuration that has to be done? I assume ssh would be covered but not necessarily bruteforce attacks on the OpenVPN AS webserver??

novaflash
OpenVPN Expert
Posts: 441
Joined: Fri Apr 13, 2012 8:43 pm

Re: Port 22

Post by novaflash » Thu Oct 19, 2017 4:37 pm

SSH is usually automatically preconfigured, yes, in fail2ban. The Access Server web services have lock out protection built in already. Except for the 'openvpn' user, but you should disable that after initial installation and replace it with a standard admin user. I refer you to these pages;

https://docs.openvpn.net/getting-starte ... tallation/
https://docs.openvpn.net/command-line/a ... out_policy

luckman212
OpenVPN User
Posts: 28
Joined: Fri Jun 10, 2011 12:03 am

Re: Port 22

Post by luckman212 » Thu Oct 19, 2017 5:42 pm

Ok thank you. I disabled the 'openvpn' user, thanks for that tip. I've installed fail2ban but in my initial testing (simulating repeated bad login via ssh) it's not banning anything. Have to dig into that a bit more.

luckman212
OpenVPN User
Posts: 28
Joined: Fri Jun 10, 2011 12:03 am

Re: Port 22

Post by luckman212 » Thu Oct 19, 2017 6:27 pm

Got it, had to do some reading up on fail2ban config. By default it does nothing.
Most useful guide I found was this one:
https://www.linode.com/docs/security/us ... r-security

Now 100% working!

novaflash
OpenVPN Expert
Posts: 441
Joined: Fri Apr 13, 2012 8:43 pm

Re: Port 22

Post by novaflash » Thu Oct 19, 2017 6:59 pm

Hm okay. I remember installing it on Ubuntu a long time ago and it had some default configs... but I may have been mistaken. In any case, glad to hear you got it working now.

Post Reply