Comment by throwaway81523
1 day ago
Yeah I get almost no login attempts on ports other than 22. Should I even care about attempts on 22 though? They bounce off, and fail2ban blocks the IP after a while.
I sometimes think of putting my private servers on completely random IP addresses drawn from /64 IPv6 ranges. It should be near-impossible to find those by address scanning, unless I'm overlooking something dumb. Am I? It wouldn't surprise me.
An arbitrary IPv6 address is indeed not practical to find by scanning. However, unless you're willing to type in that 128-bit value each time you need it (which maybe you are) you'll advertise this address somehow and if you do that your advertisements can be read by others.
For example suppose you put my-private-server.vanity-domain.example in DNS with an AAAA pointing to your private server - "passive DNS" service means big DNS providers will sell the answers they saw when anybody (say, yourself, on somebody else's computer) asks AAAA? my-private-server.vanity-domain.example. They don't reveal who asked, so this isn't personal information, but they do reveal what the question was and its answer.
A long time ago we used this to build target portfolios, if we're going to sell your company our product X, this is way we can see that you already have products A, B and C, but not D, E or F so we look a bit smarter coming into the sale.
Couldn't you just make my-private-server.vanity-domain.example a manual /etc/hosts entry to prevent advertising it?
You could. You'd only have the ability to log in from your own machine though. If that compromise works is very much dependent on your situation.
2 replies →
Just as easy, you could just set the Host in your ssh config. Then you don’t have to deal with dns
For a real world example, I use IPv6 only SSH+public DNS and my fail2ban has 2 fails for a uptime with 285 days.