How to harden against SSH brute-forcing?

voroxpete@sh.itjust.works

You seem like a fan of the "pull out" method.

fedditor385@lemmy.world

Setup fail2ban

briantheebiscuiteer@lemmy.world

In addition to other advice you could also use SSH over Wireguard. Wireguard basically makes the open port invisible. If you don't provide the proper key upfront you get no response. To an attacker the port might as well be closed.

Here's at least one article on the subject: https://rair.dev/wireguard-ssh/

troed@fedia.io

Feel free to argue with facts. Hardening systems is my job.

encryptkeeper@lemmy.world

https://www.crowdsec.net/

Take the concept of Fail2Ban and add in a community blocklist of thousands of IPs so that you’re blocking not only IPs that have attacked you, but others as well.

It’s neat because they have a number of collections you can download from the community that include readymade parsers for other kinds of logs, and other attack scenarios you can guard against. For example, if you run Nginx or Caddy as webservers on that machine, you can download associated collections for each that can parse your web access log files and ban IPs based on IPs probing your web server for unprotected admin panels, or abusive AI crawlers.

You can even write your own scenarios. I wrote one that immediately blocks you after just one attempt to log in using an account like root, admin,adm,administrator, etc.

unlogic@lemmy.zip

If you can, employ tailscale ssh.

callcc@lemmy.world

Public ssh is completely fine as long as you use key based auth only and keep your sshd up to date. Stop spreading bullshit.

cron@feddit.org

I don’t really get the love for fail2ban. Sure, it helps keep your logs clean, but with a solid SSH setup (root disabled, SSH keys enforced), I’m not bothered by the login attempts.

callcc@lemmy.world

Welcome to the internet! Your system will get probed. Make sure you run as little as possible services on open ports and only high quality ones such as OpenSSH. Don't freak out because of your logs. You're fine as long as your system is up to date and password login disabled! Don't listen to the fail2ban or VPN crowd. Those are only snake oil.

A VPN is probably just as (in)secure as OpenSSH. There is no gain in complicating things. OpenSSH is probably one of the most well tested code for security around.

cron@feddit.org

Nice list of suggestions, but implementing all of them feels a little over-the-top.

jubilantjaguar@lemmy.world

This is the only answer you need to read. It's a non-problem if you just do this, and there's no reason not to do it.

xanza@lemm.ee

1. Disable passwordless login.
2. Disable password login.
3. Require SSH keys
4. Move SSH port to non-standard port
5. Reject connections to port 22
6. Install and enable fail2ban

About the best you can do.

markstos@lemmy.world

Using a nonstandard port doesn’t get you much, especially popular nonstandard ports like 2222.

I used that port once and just as much junk traffic and ultimately regretted bothering.

cmnybo@discuss.tchncs.de

It gets rid of most of the login attempts for me. I don't use a popular port though. Pick a 5 digit port so they have to put in some effort to find it.

friend_of_satan@lemmy.world

My experience running several ssh servers on uncommon nonstandard ports for over 10 years has been that it has eliminated all ssh brute forcing. I don't even bother with fail2ban. I probably should though, just in case.

Also, PSA: if you use fail2ban, don't try tab completing rsync commands without using controlmaster or you will lock yourself out.

irmadlad@lemmy.world

My two cents: Using a nonstandard ssh port is good for dumping bots. True, you can easily do a port scan against a server and easily find all open ports nbd. But most off-the-shelf bots are looking for standard ports to penetrate. I know that when I format and reinstall the test server, as soon as I change the ssh port, bot noise goes down significantly. So, for a simple config edit and about 2 minutes of time, it seems worth the effort. It's just one layer tho. And yes, it goes without saying to pick a port other than 22, 222, 2222, etc.

irmadlad@lemmy.world

OP, here is what I do. It might seem overboard, and my way doesn't make it the best, or the most right, but it seems to work for me:

• Fail2ban
• UFW
• Reverse Proxy
• IPtraf (monitor)
• Lynis (Audit)
• OpenVas (Audit)
• Nessus (Audit)
• Non standard SSH port
• CrowdSec + Appsec
• No root logins
• SSH keys
• Tailscale
• RKHunter

The auditing packages, like Lynis, will scour your server, and make suggestions as to how to further harden your server. Crowdsec is very handy in that it covers a lot of 'stuff'. It's not the only WAF around. There is Wazuh, Bunkerweb, etc. Lots of other great comments here with great suggestions. I tend to go overboard on security because I do not like mopping up the mess after a breach.

irmadlad@lemmy.world

+1 for Crowdsec

voroxpete@sh.itjust.works

And mine. Clearly one of us is better at it.

voroxpete@sh.itjust.works

A lot of things are "fine", but the cost of adding Netbird to your VPS is effectively zero, whether counted in dollars, time, or convenience.

Given the massive security benefits of using a VPN, and the lack of any meaningful downside to doing so, you'd be an idiot not to.