this post was submitted on 30 Sep 2024
144 points (100.0% liked)

Self Hosted - Self-hosting your services.

14706 readers
1 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules

Important

Cross-posting

If you see a rule-breaker please DM the mods!

founded 4 years ago
MODERATORS
Zoe8338@lemmy.ml
dogmuffins@lemmy.ml
testman@lemmy.ml
144
PSA: Test Your Server SSH Access (lemmy.ml)
submitted 9 months ago* (last edited 9 months ago) by brownmustardminion@lemmy.ml to c/selfhost@lemmy.ml
12 comments fedilink hide all child comments
 

I accidentally attempted to SSH into one of my servers from a device that did not contain my ssh key. I configure all of my servers to only allow authentication via cryptographic keys. Root ssh as well as password auth are disabled.

To my surprise, I was able to log in to my server with a password despite this. Baffled, I first tried some other servers. 2 of the 5 other servers I tried were accessabke via password.

After some swift investigation the culprit was found, a cloud-init ssh config in sshd_config.d/ with one line: password_authentication Yes.

So TLDR PSA....if you run a server in any type of virtualized environment, including a VPS, check your /etc/ssh/sshd_config.d/ folder. And more broadly, actually thoroughly test your ssh access to confirm everything is working as you intend it to.

top 12 comments
sorted by: hot top controversial new old
[–] friend_of_satan@lemmy.world 46 points 9 months ago

Show your effective sshd server config: sudo sshd -T

[–] henfredemars@infosec.pub 20 points 9 months ago* (last edited 9 months ago)

This is good advice in general. Think of it like penetration testing. You really should verify what you can actually access remotely on a device and not assume you have any level of protection until you’ve tried it.

Log files can also contain signs of attack like password guessing. You should review these on a regular basis.

[–] MNByChoice@midwest.social 12 points 9 months ago

Good advice. One should always test, for correctness, not just infer.

[–] TankieTanuki@hexbear.net 9 points 9 months ago (1 children)

/etc/ssh/ssh.d/

You mean /etc/ssh/sshd_config.d?

[–] brownmustardminion@lemmy.ml 5 points 9 months ago (1 children)

Fixed it. Thanks

[–] TankieTanuki@hexbear.net 4 points 9 months ago* (last edited 9 months ago) (1 children)

You for got the d!

sshd_config

[–] brownmustardminion@lemmy.ml 5 points 9 months ago* (last edited 9 months ago) (1 children)

picard_facepalm.png. can you tell I just Tab through terminal?

[–] pe1uca@lemmy.pe1uca.dev 8 points 9 months ago

I could even go further into saying: always test every change you make, do not assume the change has been made because you updated a file.

[–] Boris_NotTooBadinoff@lemmy.world 4 points 9 months ago* (last edited 9 months ago)

Had a similar issue with tlp recently. I just happened to notice the laptop battery was at 100%, and said it was charging. I double and triple checked the config file, but the tlp-stat -b still showed the thresholds at 90%-100%.

Turns out tlp, at some point, started ignoring /etc/tlp.conf, and was pointing to /etc/default/tlp

[–] arrakark@10291998.xyz 1 points 8 months ago

Yeah that sounds pretty bad. Is there a quick way to disable ssh keys to test?

[–] American_Jesus@lemm.ee -4 points 9 months ago

OpenSSH right? What version?
No issues with Dropbear