[tor-relays] SSH

[George]

On 9/21/20 7:52 AM, Logforme wrote:
> On 2020-09-21 11:19:20, "Андрей Гвоздев" <andrejgvozdev55 at gmail.com> wrote:
> 
>> Hello
>> I'm running a TOR relay, every time I SSH to my server I see a message
>> that there were thousands of failed login attempts
>> Do you see this message too?
>>
> Exposing a SSH server to the internet will get you lots of login attempts.

Yes, this is normal for anyone running internet-facing systems, and 
there are as many mitigations as there are sysadmins.

> Here are some things you SHOULD do to help the situation:
> Change the SSH default port.

Yes, this will lessen the number of entries in the relevant log file 
until the brute force attackers get more intelligent. Just understand 
this is not a security measure. It's more like a dose of obscurity to 
make log files less noisy.

> Disable the root login.

+1

> Use key-based authentication.

+1

Those are important and vital security measures, as is employing some 
sort of multi-factor authentication methods like Yubikey. (no, 
officially key-based SSH auth is not formally MFA...)

But the two ways to actually address the problem is either:

* network or host-based firewalling to limit connections based on the 
same source, rate, etc., which depends on the operating system you're 
running.

* there are also tools like fail2ban and so on that are popular.

* if you're running FreeBSD or NetBSD, try Christo's blacklistd. It 
might be ported to other OSs. If it's not, it should be...

HTH

g