Something awful happened to my OMV and I don't know what

Zitat von gderf

Disabling password authentication and allowing only public keys will absolutely prevent any brute force user/password attacks from working. The logs will still be flooded though in the default configuration.

Easiest way to change the port exposed to the internet is to change it in the router port forward settings and leave it set to 22 in OMV if the roter will allow the ports to be different.

Yeah... On my laptop (at home)... I installed a terminal app that points at my server and using a public key (although I've not disabled password auth)... then put a link to that terminal in my panel. Now I just click that terminal, and I'm logged in to my server via SSH (as a user). I do this more for ease of use, as port 22 is not open

For remote SSH access... I reverse proxy'd a wetty container. When I go to the URL, it requires a username and password. Would that be vulnerable to a brute force? I've never really thought about it, but I've never saw anything weird in my logs. Just always assumed it was safe as it used SSL

Zitat von Agricola

What about Public Key Authentication and is this guide by subzero79 still up to date for OMV 5? I know gderf has posted on a method for this more recently but I couldn’t find it off hand. And would it have thwarted such an attack through ssh (if that is what this was)?

And about setting a different port for ssh: can someone post a quick 1-2-3 on that.

That should be fairly straight forward (assuming only local access here)...

Change the SSH port in the OMV webUI and save the settings.

Now in your SSH app, just point it at your IP and adjust the port.

If you're using a linux terminal...

ssh user@ip -p new_port

Zitat von Morlan

Why not just a VPN connection to your lan, like WireGuard, for ssh access?

Honestly, I have thought about that... but I'm not that familiar with wireguard. I've read a few tutorials on it, but that was about as far as I got on it. As it stands using wetty via SSL, my SSH port is not open to the Internet... They'd have to find it via my https port, then they would still need the container port... or get lucky and guess the URL... (which is really what my question pertained to)

Zitat von Morlan

Why not just a VPN connection to your lan, like WireGuard, for ssh access?

ssh on a non-standard port with password auth disabled is just as secure if not more. I say more because openssh has been around a lot longer than Wireguard and has a proven history of being secure.

Zitat von ryecoaaron

ssh on a non-standard port with password auth disabled is just as secure if not more. I say more because openssh has been around a lot longer than Wireguard and has a proven history of being secure.

Any thoughts on how I'm doing this?

Zitat von KM0201

Any thoughts on how I'm doing this?

Your setup is abstracting the ssh port so normal brute force tools for ssh won't work. But you can still brute force wetty.

It is on a different port (if you used other than 443, it would be even better).

If wetty is in a container, that is good.

So, would say your setup is very good. A vulnerability in wetty shouldn't really hurt you since it is in a container and they still wouldn't have your ssh password.

Zitat von ryecoaaron

Your setup is abstracting the ssh port so normal brute force tools for ssh won't work. But you can still brute force wetty.

It is on a different port (if you used other than 443, it would be even better).

If wetty is in a container, that is good.

So, would say your setup is very good. A vulnerability in wetty shouldn't really hurt you since it is in a container and they still wouldn't have your ssh password.

Yeah, it's definitely a container... I'll have to do some more reading on brute force attacks. It's honestly not something I'm super familiar with.

Zitat von Morlan

Why not a combination of both?!

Why? Can you show me a vulnerability for patch openssh with password auth disabled? Adding a vpn is just another step. Plus, I'm not allowed to use vpn clients on my computers at work. So, if I want to login to my system at home to fix something, I just need putty. If you need to access more than ssh, vpn is the right way to go. But for just ssh, vpn is not needed on a properly setup system. I've had ssh exposed to the internet for almost 20 years and never had an issue.

Zitat von henfri

docker ps -a will Show you the mounted/mapped volumes.

If I am not mistaken, this will only show the mapping of the ports, but not the bind mounts.

Try this

docker ps -aq | xargs -L1 docker inspect | jq -s '[.[][0] | {id: .Id, name: .Name, image: .Config.Image, mounts: .Mounts}]'