~sircmpwn/sr.ht-discuss

7 5

builds: public ip address range

Jan-Henrik Christophersen
Details
Message ID
<CAJk2QMbq8uE1pcG3Uy6w37HUY7W15cQ+sHoj-UBWN-W11AtcrA@mail.gmail.com>
Sender timestamp
1556916020
DKIM signature
missing
Download raw message
Hi everyone,

is there a published ip range for builds.sr.ht? I'd like to whitelist
the range so that I can run a deployment script via SSH on my servers.
I couldn't find anything on man for this, maybe it would be a good addition.

Thank you,
Details
Message ID
<20190503205804.GC1267@homura.localdomain>
In-Reply-To
<CAJk2QMbq8uE1pcG3Uy6w37HUY7W15cQ+sHoj-UBWN-W11AtcrA@mail.gmail.com> (view parent)
Sender timestamp
1556917084
DKIM signature
pass
Download raw message
I can't guarantee an IP range. Instead of whitelisting IPs on your
remote, you should add an SSH key as a build secret:

https://man.sr.ht/tutorials/builds.sr.ht/using-build-secrets.md
Jan-Henrik Christophersen
Details
Message ID
<CAJk2QMZv9MtRFiULvBRqB9t1CVB+-TS+Jwhcoj2-a0L1RKGJ1Q@mail.gmail.com>
In-Reply-To
<20190503205804.GC1267@homura.localdomain> (view parent)
Sender timestamp
1556919590
DKIM signature
missing
Download raw message
I'm using an SSH key stored as a build secret, but I use a firewall in
DigitalOcean (where my servers run)
in front of the instances for port 22. I hoped that there was an IP
range I could whitelist so that I do not
have to allow any IP address.

Thanks for the quick response, though!

On Fri, May 3, 2019 at 10:58 PM Drew DeVault <sir@cmpwn.com> wrote:
>
> I can't guarantee an IP range. Instead of whitelisting IPs on your
> remote, you should add an SSH key as a build secret:
>
> https://man.sr.ht/tutorials/builds.sr.ht/using-build-secrets.md
Details
Message ID
<m2sgtvdv82.fsf@paulwrankin.com>
In-Reply-To
<CAJk2QMZv9MtRFiULvBRqB9t1CVB+-TS+Jwhcoj2-a0L1RKGJ1Q@mail.gmail.com> (view parent)
Sender timestamp
1556922797
DKIM signature
pass
Download raw message
On Sat, May 04 2019, Jan-Henrik Christophersen wrote:
> I'm using an SSH key stored as a build secret, but I use a firewall in
> DigitalOcean (where my servers run)
> in front of the instances for port 22. I hoped that there was an IP
> range I could whitelist so that I do not
> have to allow any IP address.

An alternative to the arduous (and probably fruitless) task of trying to 
protect port 22 with firewall rules, you'll stop 99.9% of bot login 
attempts by changing the port sshd listens on to something random, e.g. 
2201.

-- 
https://www.paulwrankin.com
Details
Message ID
<49e3a621-cb50-7f0a-3404-c2f328bab5bc@interia.pl>
In-Reply-To
<m2sgtvdv82.fsf@paulwrankin.com> (view parent)
Sender timestamp
1556923376
DKIM signature
pass
Download raw message
W dniu 04.05.2019 o 00:33, Paul W. Rankin pisze:
> [...] you'll stop 99.9% of bot login
> attempts by changing the port sshd listens on to something random, e.g.
> 2201.

Keep in mind mind that ports above 1024 by default don't require root
privileges to listen on.

So any program on your server could try to listen on eg. port 2201,
while if you used eg. port 922, only root could listen on that port.

Depending on your situation and configuration of your system,
eg. whether there's a chance your ssh server dies, and whether something
(eg. systemd) will keep the socket open, whether you give other people
shell accounts, this may or may not be an issue.
Details
Message ID
<094851ee-83ab-9216-4570-e8e0e27f9fb7@biribiri.dev>
In-Reply-To
<m2sgtvdv82.fsf@paulwrankin.com> (view parent)
Sender timestamp
1556937947
DKIM signature
pass
Download raw message
On 2019-05-03 6:33 p.m., Paul W. Rankin wrote:

> An alternative to the arduous (and probably fruitless) task of trying 
> to protect port 22 with firewall rules, you'll stop 99.9% of bot login 
> attempts by changing the port sshd listens on to something random, 
> e.g. 2201.
>
Also there's fail2ban for slowing down bot attempts that make it through.

I personally haven't used an IP whitelist for SSH logins and so far I 
haven't had problems with these sort of things. Though it depends on how 
much security you really need; it's a tradeoff between convenience and 
security.
Details
Message ID
<7d214c15-2e71-f7dc-107c-898ca9587299@biribiri.dev>
In-Reply-To
<094851ee-83ab-9216-4570-e8e0e27f9fb7@biribiri.dev> (view parent)
Sender timestamp
1556938220
DKIM signature
pass
Download raw message
On 2019-05-03 10:45 p.m., Francis Dinh wrote:
> Also there's fail2ban for slowing down bot attempts that make it through.

*Or rather for bots that aren't fooled by the SSH port change.
Jan-Henrik Christophersen
Details
Message ID
<CAJk2QMYdQK8HimeJi_1EEk0ZQh860td54GTRx1WA6L=z+_Q1ug@mail.gmail.com>
In-Reply-To
<7d214c15-2e71-f7dc-107c-898ca9587299@biribiri.dev> (view parent)
Sender timestamp
1556963167
DKIM signature
missing
Download raw message
Thanks for the suggestions, I'll have a look into them.

On Sat, May 4, 2019 at 4:50 AM Francis Dinh <archaeme@biribiri.dev> wrote:
>
> On 2019-05-03 10:45 p.m., Francis Dinh wrote:
> > Also there's fail2ban for slowing down bot attempts that make it through.
>
> *Or rather for bots that aren't fooled by the SSH port change.
>