Re: Undesired ssh login attempts
- Date: Sun, 10 Jun 2018 19:23:55 -0600
- From: Thomas D Dial <tdial@xxxxxxx>
- Subject: Re: Undesired ssh login attempts
On Sun, 2018-06-10 at 11:09 +0000, Dan Purgert wrote:
> deloptes wrote:
> > Hi,
> > I recently get many of those, which means someone found out that
> > ssh
> > external is on port 22222 and is trying to do some evil work there.
> > Should I worry or do something?
> Use key-based auth only
> Ensure root ssh login is not allowed
> Perhaps fail2ban (or equivalent)
> Perhaps forget about funny ports (as they're "security by obscurity"
I've generally used the following on machines that allow ssh login:
AllowUsers root@<ip of local host> ...
# may be impractical for systems that have many logins, but mine don't)
PermitRootLogin prohibit-password (OpenSSH default)
ChallengeResponseAuthentication no (Debian default)
The private key for root access on a machine is owned by a dedicated
administration account on the system, is unique to the machine, and is
passphrase protected. On some machines the admin account is only
accessible to access from the machine. On most systems the root
password is a random string that was discarded after being set.
SSH runs on port 22, since the attempt volume has not been high
recently. The firewall denies port 22 access.
These seemed to me a reasonable compromise between security and