On Thursday, 17 October 2024 13:34 DiffieHellman via tor-relays wrote: > The solution is to disable password auth and use pubkeys only Yes, SSH key auth should be the minimum requirement. 2FA SSH key's the way to go. > You still get logspam, but you can stop that with sshguard or ail2bafn, note > that setting thresholds too low will end up with you blocking yourself. I think fail2ban for SSH is a total code overhead and child's play¹. You let attackers connect and then parse the logs afterwards. This can be solved with few lines of IP/NF-tables directly at the source. As early as possible, preferably in table ingress or prerouting before conntrack is active. ¹I no longer take admins who configure fail2ban abuse seriously. I reject this nonsense. Most servers only need to be accessed by a few IPs or possibly 1-2 providers. I only allow 2 ASNs in nftables. Toralf, Enkidu-6 and I have IP/NF-tables examples on Github. If something is unclear, please ask. Nice pictures and very good answer: https://thermalcircle.de/doku.php?id=blog:linux:nftables_packet_flow_netfilter_hooks_detail https://unix.stackexchange.com/questions/581964/create-dynamic-blacklist-with-nftables -- ╰_╯ Ciao Marco! Debian GNU/Linux It's free software and it gives you freedom!
Attachment:
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ tor-relays mailing list tor-relays@xxxxxxxxxxxxxxxxxxxx https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays