On 22.09.2020 20:34, George wrote:
The great secret SSHD security hack that I feel uncomfortable mentioning on a public list is... do SSH over IPv6 if you can. Seems like the bots haven't caught up to that yet.
;-) Yeah, only 1 or 2 attempts/YEAR over IPv6 and thats a research project from a german uni.
I block SSH DDoS attack with iptables recent module: ## Drop incoming connections which make more than 4 connection attempts upon port 22 within ten minutes ## To list these damned IP's: 'nano /proc/net/xt_recent/ssh' or ## 'cat /proc/net/xt_recent/ssh > recent-ssh.txt' -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --name ssh --set -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --name ssh --update --seconds 600 --hitcount 4 -j DROP
Fail2ban Block Penetrants permanent:
[recidive] enabled = true # logpath = /var/log/fail2ban.log # banaction = %(banaction_allports)s bantime = -1 ; permanent findtime = 86400 ; 1 day maxretry = 6
I leave SSH on port 22, but pub-key auth is important and only one user or group is authorized to login. See AllowUsers user AllowGroups sshusers