On 27/10/2020 17:53, The Natural Philosopher wrote:
> On 27/10/2020 16:35, Scott Alfter wrote:
>> In article ,
>> The Natural Philosopher   wrote:
>>> I have sshd running wide open on two public servers. Although they are
>>> attacked constantly - several per second attempts - no one has ever
>>> guessed my username and password, which is the only one that allows a
>>> login...
>>
>> If you're logging into a public-facing server with your password, you're
>> doing it wrong.  Read up on SSH public-key authentication, and set it up.
>> It's easy, and it's more secure than passwords.

Seconded.

> I use that mostly, yes. But I leave the odd backdoor open for when I am 
> away from all devices that I own...
> 
>>
>> Also, if you don't already have it, set up fail2ban.  It'll ban IPs that
>> hammer your SSH server.

A lighter weight alternative if you only have a limited set of ports 
exposed to the world is sshguard.

> To be honest, I am not sure that the fail2ban uses any less cycles than 
> sshd when rejecting rubbish
> 
> 
> Let's put it this way. The amount of CPU and RAM used in rejecting 
> ratware is less than is used in rejecting attempts to sntp relay and so on.

Rejecting the connection at IP firewall level takes far less resources 
then allowing an ssh session to be negotiated then failing after the 
other end tries to login as root with a number of different common 
passwords.

> I make a point of not fixing problems I don't have.

See how big your auth log can get to if you don't.

---druck

--- SoupGate-Win32 v1.05