Now I’m having my HA exposed to the internet with SSL encryption for HTTP-traffic. Since port 22 is also exposed to the internet I notice a lot of attempts of connect / login via SSH. The SSH access is only able with certificates (SSH-2 RSA).
I’m getting log entries like this: Unable to negotiate with xxx.xxx.165.50 port xxx: no matching key exchange method found. Their offer: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
So I’m wondering if there’s a way to ban IP’s depending on multiple successless connection / login attempts. Best way would be to check two things:
Check authentication method - if this fails, ban the IP immediately
If authentication method would be key exchange: Check key exchange method - if this fails, ban the IP immediately
If the key exchange method would be matching, ban the IP after X successless attempts (no valid key provided)
I just found a service called fail2ban, but I’m not sure if this would work as expected. I tried following this guide (Banning IPs from Home Assistant and SSH) but as far as I know I can’t install things with apt-get. I neither found an add-on for hassOS (I’m using hassOS on a RPi 4).
So:
Is there a way to ban IP depending on successless SSH connection / login attempts?
You will end up banning hundred of thousand IPs then.
A better solution with this setup is to restrict all and then open for the ones that are allowed, but even that can be hard.
The best solution would be to set up VPN instead.
Thank you for your reply. I’m actually working on setting up a VPN, but until I’ll have finished this, I’d like to secure my instance a bit more.
Actually it’s not to problematic to have banned a lot of IPs, I could also un-ban them after a specific time.
I can’t use the restricting option because my devices don’t have static IPs when I’m not at home and therefore in different networks.
So you say it’s not really going to work to ban them? I mean I’m sure it’s very unprobable that the certificate is going to be “hacked” but never say never…
If you have ports open on the internet, then they will be scanned.
The scanners will be both people who try to map services on the internet, scientists looking at open ports on the internet and hackers checking for open ports with security holes.
Typical the scan will only be once from an IP, because either the scanner have the information they need, like what service it is and what program is used to provide it, or it will be a brute force attempt to get in, but the hackers then nearly always deploy a distrubted attack vector, so alarms will not be triggered.
besides that then the scanner IPs will quickly be a very long list and very long lists take alot of time to run through, so your VPN connections will be slow or even reach timeout.
Your confident in the certificate is although a bit misplaced.
The certificate might be fine, but its the process where the certificate is used you have to worry about.
A wrongly placed dot or a typo can open a crack that hackers might be able to use to circumvent the certificate all together.
I actually thought about the certificate itself which is hard to break. But again: Good point!
I’m really happy when my VPN is set up completely so I don’t have to concern about those issues anymore.
Thanks so far!
A further question: When I’m using my HA in a private network without accessibility from the internet but only from within my private network (via VPN tunnel into my private network):
Does it make sense to SSL-encrypt the HTTP-connection to my private HA instance?
Is this even possible with Let’s Encrypt since I don’t run the HA on a valid domain anymore (but only with a private IP address then)?
Then I wouldn’t worry that much. You could also avoid using port 22 to move your service away from the bulk of scanners. You can use any port up to 65535, so pick something random and high (say, 42974).
If you’re not exposing it to the Internet then I wouldn’t both, personally. You then get into the game of having to securely manage a CA and have that trusted by all your devices. Those aren’t hard, but the first particularly is harder than most hobbyists manage - and if your CA isn’t secure then any benefits are mostly smoke and mirrors.
I would say maybe. Penetrations can and often happens in other ways, like with fishing or even spearfishing, where you up the quality of the fishing with social engineering.
Once they are in they can tap unencrypted traffic for further access, but I would say that often when they get in through fishing, then they already will have all level access.
A certificate is still possible.
Let’s encrypt certificates are domain validated, which means you prove that you own the domain.
Once proved ownership is done you will have access to a certificate for that domain.
You can then add hosts, generate the certificate and install it on devices and servers. Only requirement is that the servers and devices use a host in the certificate and the domain name for that too.
My RPi is running in my private LAN just behind a router (with integrated firewall and so on, it’s a FritzBox). Currently I’m using DDNS to route a request to ha.mypublicdomain.tld to my dynamically changed ISP-given IPv4 address. Until here I can follow: I’m the owner of that domain.
But using Let’s Encrypt on my RPi with no port-forwarding anymore (so, in opposite to the current setup, closing ports 80 and 443, which are currently forwarded to my HA, in my router) would prevent to renew my certificate with the Let’s Encrypt add-on, wouldn’t it, because my HA isn’t accessible from the internet anymore?
The Lets Encrypt addon runs its own http server, which use another port and the service is only running in the time it takes to get approved.
I do not know which service the addon use as http server, but if its a lockdown service with no advanced features, then it can be pretty secure while it is running.
The DNS-01 validation is the best solution though, but you might have to change DNS provider to get a scriptable DNS setup. I have switch to Cloudflare, which is free if I only use DNS.
