On Thursday, 17 October 2024 13:34 DiffieHellman via tor-relays wrote:
The solution is to disable password auth and use pubkeys only
Yes, SSH key auth should be the minimum requirement. 2FA SSH key's the way to go.
You still get logspam, but you can stop that with sshguard or ail2bafn, note that setting thresholds too low will end up with you blocking yourself.
I think fail2ban for SSH is a total code overhead and child's play¹. You let attackers connect and then parse the logs afterwards. This can be solved with few lines of IP/NF-tables directly at the source. As early as possible, preferably in table ingress or prerouting before conntrack is active.
¹I no longer take admins who configure fail2ban abuse seriously. I reject this nonsense.
Most servers only need to be accessed by a few IPs or possibly 1-2 providers. I only allow 2 ASNs in nftables. Toralf, Enkidu-6 and I have IP/NF-tables examples on Github. If something is unclear, please ask.
Nice pictures and very good answer: https://thermalcircle.de/doku.php?id=blog:linux:nftables_packet_flow_netfilt... https://unix.stackexchange.com/questions/581964/create-dynamic-blacklist-wit...