Hacker News new | ask | show | jobs
by thinkMOAR 3297 days ago
Call me critical AND paranoid.. but this kind of thing should be a tool people can run locally. Not via some public service, which is probably gonna be blacklisted on plenty of RBLs.

However first and above all, SSH SHOULD NEVER LISTEN AND/OR RESPOND to non whitelisted ip addresses. NEVER, no exceptions.

Also i think it is more a promotion for the rebex site and software, not so much the ssh scan utility... based on the selected sample site, simplicity of the utility and site,

Server Identification: SSH-2.0-RebexSSH_1.0.0.0
3 comments
rnhmjoj 3297 days ago
I think it suffice to disable root login, password authentication and maybe use a non-standard port to clear the logs from scanners. What do you do if your address changes or something? I wouldn't risk locking myself out.
link
jlgaddis 3296 days ago
Meh, I've got two hosts running SSH that are accessible from anywhere. They run OpenSSH on OpenBSD and are pretty locked down (only specific ciphers, key exchange algorithms, and MACs are permitted), root login is disabled, and password authentication is disabled, among other non-default configuration options. These two hosts allow access (via SSH) to another 40 or so boxes running various flavors and versions of Linux that can't be locked down as much.

I do not worry one bit about those two hosts getting compromised as I took the time to minimize the chances of that happening.

link
thinkMOAR 3296 days ago
The fact you think that secures you, worries me, and that you share the almost exact setup you have with the world, just as much. Security is layers, and one layer is not telling the world about your setup.
link
jlgaddis 3296 days ago
Security is also not relying on obscurity to keep you safe.
link
thinkMOAR 3293 days ago
having your server ssh exposed to the world and trusting your configuration is relying on obscurity. Having strict firewalls, with only a limited amount of trusted ip addresses is anything but relying on obscurity.
link
theandrewbailey 3297 days ago
There are many cases when you don't know the IP you will be connecting from. The only way around that I know of would be a VPN, but SSH's auth and crypto strength is at least as good.
link
thinkMOAR 3293 days ago
As long as people keep doing this, i will have a job cleaning up fuck ups. :)
link