Port 22
- novaflash
- OpenVPN Inc.
- Posts: 1073
- Joined: Fri Apr 13, 2012 8:43 pm
Re: Port 22
Port 22 TCP is the default SSH port. It's normal that this is open. If you don't want it, then disable the SSH service. Please note that this makes it impossible to log on to the server via SSH/PuTTY then, so be sure you have access to the console if you need access to the server without SSH!
I'm still alive, just posting under the openvpn_inc alias now as part of a larger group.
-
- OpenVpn Newbie
- Posts: 3
- Joined: Wed Jul 26, 2017 1:05 pm
Re: Port 22
Thank you for your answer
-
- OpenVpn Newbie
- Posts: 1
- Joined: Tue Oct 17, 2017 12:22 am
Re: Port 22
Can I expand this question? I want to be able to use SSH but secure it in the firewall. I have been trying unsuccessfully to either move SSH to another port or use IPTables to secure port 22, on all my servers I have IPTales set up to only allow SSH from certain IP addresses.
I get thousands of brut force attempts on my VPN server so leaving port 22 open is just plain risky but OpenVPN seems to control the IPTables and doesn't allow me to secure port 22.
I get thousands of brut force attempts on my VPN server so leaving port 22 open is just plain risky but OpenVPN seems to control the IPTables and doesn't allow me to secure port 22.
- novaflash
- OpenVPN Inc.
- Posts: 1073
- Joined: Fri Apr 13, 2012 8:43 pm
Re: Port 22
Here are my personal recommendations that just so happen to make a hell of a lot of sense.
Set up key based authentication instead of only password based authentication.
Deny access for the root account, but log on with a secondary account that you can use to sudo up (gain root privileges).
Install fail2ban. This monitors repeated bruteforce attempts and blocks them automatically.
Run your systems behind a real firewall. Block it there if you want to.
Changing port is security through obscurity and doesn't really help much if at all.
Set up key based authentication instead of only password based authentication.
Deny access for the root account, but log on with a secondary account that you can use to sudo up (gain root privileges).
Install fail2ban. This monitors repeated bruteforce attempts and blocks them automatically.
Run your systems behind a real firewall. Block it there if you want to.
Changing port is security through obscurity and doesn't really help much if at all.
I'm still alive, just posting under the openvpn_inc alias now as part of a larger group.
-
- OpenVPN User
- Posts: 46
- Joined: Fri Jun 10, 2011 12:03 am
Re: Port 22
Is it enough to simply install fail2ban using or is there some additional configuration that has to be done? I assume ssh would be covered but not necessarily bruteforce attacks on the OpenVPN AS webserver??
Code: Select all
yum install fail2ban
- novaflash
- OpenVPN Inc.
- Posts: 1073
- Joined: Fri Apr 13, 2012 8:43 pm
Re: Port 22
SSH is usually automatically preconfigured, yes, in fail2ban. The Access Server web services have lock out protection built in already. Except for the 'openvpn' user, but you should disable that after initial installation and replace it with a standard admin user. I refer you to these pages;
https://docs.openvpn.net/getting-starte ... tallation/
https://docs.openvpn.net/command-line/a ... out_policy
https://docs.openvpn.net/getting-starte ... tallation/
https://docs.openvpn.net/command-line/a ... out_policy
I'm still alive, just posting under the openvpn_inc alias now as part of a larger group.
-
- OpenVPN User
- Posts: 46
- Joined: Fri Jun 10, 2011 12:03 am
Re: Port 22
Ok thank you. I disabled the 'openvpn' user, thanks for that tip. I've installed fail2ban but in my initial testing (simulating repeated bad login via ssh) it's not banning anything. Have to dig into that a bit more.
-
- OpenVPN User
- Posts: 46
- Joined: Fri Jun 10, 2011 12:03 am
Re: Port 22
Got it, had to do some reading up on fail2ban config. By default it does nothing.
Most useful guide I found was this one:
https://www.linode.com/docs/security/us ... r-security
Now 100% working!
Most useful guide I found was this one:
https://www.linode.com/docs/security/us ... r-security
Now 100% working!
- novaflash
- OpenVPN Inc.
- Posts: 1073
- Joined: Fri Apr 13, 2012 8:43 pm
Re: Port 22
Hm okay. I remember installing it on Ubuntu a long time ago and it had some default configs... but I may have been mistaken. In any case, glad to hear you got it working now.
I'm still alive, just posting under the openvpn_inc alias now as part of a larger group.