[07:14] <ducasse> good morning
[07:16] <Bashing-om> ducasse: WB :D
[07:16] <ducasse> thanks Bashing-om - how was your session?
[07:18] <Bashing-om> ducasse: Slow session - no gold stars on the irc status board :(
[07:22] <ducasse> Bashing-om: too bad, but typical weekend
[07:28] <Bashing-om> ducasse: More and more - slow - 'buntu just getting too polished :D
[11:15] <lotuspsychje> good noon
[11:34] <lotuspsychje> 20.04 has new icons at shutdown corner https://imgur.com/a/IfiVKMo
[14:38] <pragmaticenigma> sixwheeledbeast: It might be security by obscurity, but it is now considered best practice when enabling remote ssh in a non-commercial setting. If I enable port 22, I get thousands of attempts to login into my machines. Changing the port to a different placement, I see maybe one or two attempts a year currently. So it is effective to change the port. Everything is locked down, so really this just cuts down on the noise
[14:38] <pragmaticenigma> for me when reviewing the logs.
[14:40] <sixwheeledbeast> pragmaticenigma: its the internet every port is scanned on a regular basis by shodan and published to the internet. Your just minimising bot traffic it's still obscurity.
[14:42] <pragmaticenigma> sixwheeledbeast: I make regular look ups of my connection on shodan... as of right now it only shows one port open, and it is not my SSH port.
[14:43] <pragmaticenigma> Shodan only scans the lower 1000 ports to my knowledge
[14:44] <sixwheeledbeast> It has never been considered best practice. There are reasons why the first 1024 ports are used for specific applications.
[14:44] <pragmaticenigma> sixwheeledbeast: And that is fine in a commercial setting... but if a person is running something for their own purposes on their home network, there is absolutely nothing wrong with using a non-standard port
[14:44] <pragmaticenigma> Note, I have never said there is any less risk involved
[14:46] <sixwheeledbeast> It's still a pointless exercise IMO. You will be getting incoming traffic to the router on port 22 if it's open or not your just not seeing the logs at the server only at the router if logged.
[14:49] <pragmaticenigma> sixwheeledbeast: you're not telling me anything I already didn't know. I worked for a internet provider for over 3 years. I'm well aware of everything you have spoken about. My point is, for a personal setup, I recommend not using port 22 as I see no point in tempting the low hanging fruit of script kiddies out there. I'm more than aware that port 22 is constantly getting pinged on my firewall, as much as ports 80, 443,
[14:49] <pragmaticenigma> 21, 25 and many others.
[14:50] <pragmaticenigma> My goal in not using port 22 for SSH serves only to reduce the amount of time it takes me to troubleshoot an issue with my connections by not having to sift through thousands of lines of logs of failed attempts to gain entry to my systems
[14:52] <sixwheeledbeast> I still stand by my point tho, it's not considered standard practice. I would sooner have the logs of IP's to either blacklist of whitelist.
[14:52] <sixwheeledbeast> well to quote "best practice"
[14:53] <sixwheeledbeast> s/of/or/
[14:54] <lotuspsychje> the whole world is constantly port scanned
[14:54] <sixwheeledbeast> Exactly
[14:55] <pragmaticenigma> already established that fact, and note... never claimed best practice at large, I associated it with non-commercial situations sixwheeledbeast
[14:56] <sixwheeledbeast> np
[14:56] <tomreyn> shodan is not limited to ports 0 to 1023, but scans an arbitrary list of ports they have chosen.
[14:57] <tomreyn> but then there are competing services, and other internet scanning projects, which produce different results.
[14:59] <sixwheeledbeast> Its on my list of common FUD I hear, like people saying that placing files/drives in / doesn't follow FHS.
[15:02] <lotuspsychje> what is?
[15:04] <sixwheeledbeast> using non-standard ports for services is a standard practice
[16:09] <lotuspsychje> !info linux-oem-osp1 eoan
[19:32] <Katnip> nappy
[23:19] <Fuseteam> Pretty sure its beneficial to use none-standard ports, but i'm curious what the disadvantages would be
[23:20] <pragmaticenigma> Fuseteam: Non-standard ports becomes a problem typically in a commercial/industrial type application.
[23:21] <pragmaticenigma> If your a business and wish to provide, SFTP services to your customers. The least amount of friction would be to use the ports that are already reserved for those services. Lowering the chance of mistakes in implementation
[23:22] <pragmaticenigma> For instance... You can run a web server on any port... But you would have little to no traffic if you didn't make the site available on Ports 80 and/or 443. Google and others are not going to index a site that it can't find.
[23:23] <pragmaticenigma> And the customers are going to assume the site is broken or down, because they're not going to understand what the numbers after the URL are for, and are likely to skip them
[23:26] <sixwheeledbeast> Also the first 1024 ports are privileged ports this means your connection to them is protected by admin privileges at the server end.
[23:28] <pragmaticenigma> I've never heard the referred to as privileged ports before. And calling them protected by admin privileges isn't really correct. The first 1024 are specifically allocated, and typically the server requires a process to have specific system level permission to operate on that port.
[23:28] <daftykins> i run my OpenVPN server on a non-standard port, it's blocked on some local hotel/restaurant free wifi services :/
[23:29] <sixwheeledbeast> That's a better way of explaining it, yes.
[23:30] <Fuseteam> pragmaticenigma hmm thanks for the insight
[23:30] <sixwheeledbeast> Privileged ports is how w3 refer to them
[23:31] <sixwheeledbeast> https://www.w3.org/Daemon/User/Installation/PrivilegedPorts.html
[23:31] <pragmaticenigma> ah, okay... I always thought they were called "reserved ports"
[23:32] <Fuseteam> how practical would that make running websites and webapps in containers?
[23:33] <sixwheeledbeast> I suppose they are "reserved" according to IANA and "privileged" to w3 :shrug:
[23:35] <sixwheeledbeast> There are ports below 1024 that have nothing assigned/reserved to them via IANA so that's where the difference is.
[23:36] <pragmaticenigma> Fuseteam: perfectly practical, many websites already do this today
[23:37] <Fuseteam> cool but aren't the containers usually published on non-standard ports? or would it make use of the container ip?
[23:37] <sixwheeledbeast> i suppose NAT can pick up the pieces too
[23:38] <pragmaticenigma> I think many containers are run behind a load balancer, which could take things in on the standard port and forward them to the correct resource
[23:39] <Fuseteam> ah guess that makes sense
[23:42] <pragmaticenigma> unless I made the container, I wouldn't be putting it on the open web without some sort of intermediary firewall and other infrastructure
[23:43] <pragmaticenigma> eventhen... firewalls are helpful