![[H]ard|Forum](/styles/hardforum/xenforo/logo_dark.png){kind=logo}
![Zarathustra[H]](https://cdn.hardforum.com/data/avatars/m/9/9298.jpg?1714700655){kind=avatar}
I don't get hardly any, i'm in a consumer block of ATT IP addresses though, so maybe they don't scan those for ssh servers as often.
Not really what I said, it is more every joe blow trying to run their own services to save some money when really they have no business doing so because they do not have the technical knowledge or expertise to truly secure it and monitor it. Then those people end up contributing to the massive problems of compromised systems with out even knowing it. By all means, learn, read, research, run a lab and try it out, but until you actually know what you are doing...don't put something public on the internet, because now you are literally part of the problem.Yeah, don't set up your own stuff, come to us, pay us, and then pay us a little more every year or else we take it all away
No it's what the sponsors of this research say. I mean this is like simplisafe 'partners' running a research where they leave the front doors of homes wide open. And then try to sell you home security because only they can provide security.
Reality is, Companies do this on their own every single day, deploy badly configured services. Seeing how many miss-configured AWS instances and Azure tenants that are set up is scary (I work in the industry). Honeypots while they have a purpose, are also set up in ways that mimic, sadly, how many people deploy things these days. Little security insight, not being patched, no proper security controls in place, the list goes on and on and on of how incorrect people deploy things these days.
Yes and no,
Really, the title of the article could/should be "Insecure server deployments found to be insecure by security company." Ever since the invention of port scanners and bots, it should be assumed that you will be pentested, likely by malicious actors.
That's a good start but now there are so many free VPN services that they use now to simulate being in the US or Canada so you have to block them all as well, most major firewall providers have a list of their IP ranges so you can add them to the block list as well. Modern firewalls also allow for Application ID tagging, so you can specify that only SSH traffic is allowed on that port and you should go a step further as well and set the IP addresses or ranges that are allowed to access that SSH port.
You can fix that with your DNS records, Microsoft has a number of articles on how to ensure your data doesn't leave your home country.
That works great for incoming, but I also block outbound, the amount of crap that tries to leave IoT devices to Asia and Samsung Cell phones is unreal....not to mention ad networks and all the other craping track products put into their devices.
Good to know, this is our client who's data is hosted in North America locations, so one would presume Azure would keep all accounts and access with in North America...but I guess that would make too much sense for them..
There are G licenses available for government entities to ensure your data stays within the country. Some other licenses may do this too, but there are so many I don't keep up on them unless I have to.
My point was more that I received massive amounts of easily detectable intrusion attempts for a single, unadvertised host. Right now, if I wanted remote SSH access to my home server, I wouldn't even consider it without limiting it to only my single remote IP address and some additional security measures. There are simple steps to take to discourage intrusion attempts that if you don't take them, you really have no business setting up a public facing server of any type. Cloud services generally just make the servers available and allow the customer to configure to their needs. The easy access to servers may be encouraging people to set things up by themselves that they have no business attempting.
Yeah, Microsoft and Amazon are pretty clear in their documentation that they discourage outside access and instead recommend you configuring your sites to connect back to the hosted servers via a secured VPN. But more than half of them are accessing it via the public ally accessible IP because… cheaper & easier I guess I can’t imagine why somebody would configure it that way but they do by the thousands.
This,
The clients I have seen who create a new VM in Azure, give it a public IP to access RDP...and never close it....and then we go in to do a ransomware recovery....because they left it open on 3389 with a simple password.
It's the Corporatist way!Yeah, don't set up your own stuff, come to us, pay us, and then pay us a little more every year or else we take it all away
Not as if those are a new invention. It was going on since I first had an internet connection. If anything it was more common back in the dark ages of the internet. Back in the late days of windows 98, if you connected it to the internet it literally took seconds for it to get compromised.
ISP Fiber box ---> their router --> bridged mode port to my pfsense. Once i cancel TV service with them, it will be ISP Fiber ---converter --> right to my pfsense.
For the past couple of devices from my ISP they have been deny-all inbound by default anyways. Unless i've got a specific device on the inside that I can't adjust the host-based rules for, I don't even bother touching the ISP provided device anymore. They've gotten a lot better with it.
Block all, IN and OUT.
Well, it can be their job if you pay them.
Very valid! Yes, I stand corrected!
You are missing my point. What I was saying is that they already have an environment set up. They should use this as an opportunity to demonstrate both the misconfigured network and the properly configured network. They could use the setup for a typical cloud eCommerce. It could be done as a Cloudformation template or even just some images to show the network topology and configuration. It would be a great tool for everyone to read and learn from, regardless of the level of expertise.