On 2014-11-18 18:38, Kevin de Bie wrote:
Fail2Ban works really well. Shifting to a non standard port only stops the scriptkids from having too much automated options and does not do anything for actual security. For this reason I personally never bothered with that. Non standard username and password auth with fail2ban makes brute forcing practically impossible, this is usually how I have things configured.
Just changing it to key-based authentication stops ALL password-guessing attacks. You will then be left with the logs though. Hence lets make a little list for clarity in order of "should at least do": - Use SSH Authentication - Disable Password Authentication - Use Fail2ban - Restrict on IP address (no need for fail2ban then) Greets, Jeroen