I've used fwknop to hide the ssh port entirely. Similar to port pattern knocking, it inspects and drops packets to make it look like a closed port until the signed packet is received then opens the firewall port for a set duration. Get your ssh connection set up and let the firewall close behind you.
It doesn't just have to be for remote access from the internet. You can also use this kind of setup internally. The university I worked at did this for their network management. They put the management interfaces of all their networking equipment into one isolated vlan then used two bastion boxes for access to them (vty access restricted to these two systems). This gave access control, full logging, access to management scripts and no worries about using telnet for accessing switches, routers an AP's.
Good to see lynis getting more exposure, it also has a limited forensic and pentesting option as well
Ahh proxychains is perfect. Thanks guys!!
I've used fwknop to hide the ssh port entirely. Similar to port pattern knocking, it inspects and drops packets to make it look like a closed port until the signed packet is received then opens the firewall port for a set duration. Get your ssh connection set up and let the firewall close behind you.
Yup Tom the 2nd approval know in the world of nukes as the "Two Man Rule."
Using Teleport for secure ssh to my target systems.
Tactical RMM might be worth looking at :)
Be sure to talk about the smart card aspect of yubikey, having your private keys on the yubikey
Would never do this. Too much attack surface for the very little gains.
Use a VPN or a soft VPN. Done.
It doesn't just have to be for remote access from the internet. You can also use this kind of setup internally. The university I worked at did this for their network management. They put the management interfaces of all their networking equipment into one isolated vlan then used two bastion boxes for access to them (vty access restricted to these two systems). This gave access control, full logging, access to management scripts and no worries about using telnet for accessing switches, routers an AP's.
First