18 Nov
2014
18 Nov
'14
5:46 p.m.
On 2014-11-18 18:38, Kevin de Bie wrote:
Fail2Ban works really well. Shifting to a non standard port only stops the scriptkids from having too much automated options and does not do anything for actual security. For this reason I personally never bothered with that. Non standard username and password auth with fail2ban makes brute forcing practically impossible, this is usually how I have things configured.
Just changing it to key-based authentication stops ALL password-guessing attacks.
You will then be left with the logs though.
Hence lets make a little list for clarity in order of "should at least do":
- Use SSH Authentication - Disable Password Authentication - Use Fail2ban - Restrict on IP address (no need for fail2ban then)
Greets, Jeroen