Suggestion: in the doc, linking SSH access securing and port whitelisting

sholan

Edit:
Hello everyone,

The security page of Cloudron doc, in "Securing SSH Access", advises to relocate SSH Server to a different port (security through obscurity), to prevent bruteforce attacks. The only advised (and available port) is 202, which means the expected effect is now void, because the whole community is forced to behave the same way.

On the other end, the networking documentation page indicates how to open port on a cloudron install the clean way.

Those two pages should be linked (security => network) and the 202 restriction should be un-mentionned.

nebulon

As you indicate, obscurity is not security, we only added the default 202 option there since nearly all attacks are rather generic and Cloudron isn't popular enough to make a dent here, so just moving it to 202 is a good compromise it reduces the attempts by such bruteforce tools by a lot.

Further if someone is really targetting you, a portscan will reveal the SSH port anyways eventually, so not too much to gain. The main part is to use strong SSH keys and properly configured SSHd which is the case on most VPS provider (if they adjust the Ubuntu defaults at all)

If you know your way around SSHd config and firewalls, then sure change it to your taste. The 202 is just a tradeoff for less experienced users.

sholan

@nebulon
Fair enough, I do understand and agree with all you said, but shouldn't the documentation still be a bit more helpful for stubborn users like who don't like to do the same as everyone ?

girish

I have added a link in the note section at https://docs.cloudron.io/security/#securing-ssh-access . Changed the comment in sshd as well.

sholan

Feels nice, thank you guys !