On 28/10/2020 08:22, druck wrote:
> On 27/10/2020 17:53, The Natural Philosopher wrote:
>> On 27/10/2020 16:35, Scott Alfter wrote:
>>> In article ,
>>> The Natural Philosopher   wrote:
>>>> I have sshd running wide open on two public servers. Although they are
>>>> attacked constantly - several per second attempts - no one has ever
>>>> guessed my username and password, which is the only one that allows a
>>>> login...
>>>
>>> If you're logging into a public-facing server with your password, you're
>>> doing it wrong.  Read up on SSH public-key authentication, and set it
>>> up.
>>> It's easy, and it's more secure than passwords.
>
> Seconded.
>
>> I use that mostly, yes. But I leave the odd backdoor open for when I
>> am away from all devices that I own...
>>
>>>
>>> Also, if you don't already have it, set up fail2ban.  It'll ban IPs that
>>> hammer your SSH server.
>
> A lighter weight alternative if you only have a limited set of ports
> exposed to the world is sshguard.
>
>> To be honest, I am not sure that the fail2ban uses any less cycles
>> than sshd when rejecting rubbish
>>
>>
>> Let's put it this way. The amount of CPU and RAM used in rejecting
>> ratware is less than is used in rejecting attempts to sntp relay and
>> so on.
>
> Rejecting the connection at IP firewall level takes far less resources
> then allowing an ssh session to be negotiated then failing after the
> other end tries to login as root with a number of different common
> passwords.
>
>> I make a point of not fixing problems I don't have.
>
> See how big your auth log can get to if you don't.

Again, there is no shortage of disk space and it gets rotated.

>
> ---druck
>


--
Truth welcomes investigation because truth knows investigation will lead
to converts. It is deception that uses all the other techniques.

--- SoupGate-Win32 v1.05