[06:05] <lordievader> Good morning
[15:37] <foo> aaronr / bezt - looks like I'm going to want fail2ban. Even with not accepting passwords, I still see non-stop attempts in ssh. I suspect that's fine but there's no reason to allow that. Is there config required on fail2ban I wonder? /me investigates docs
[15:38] <aaronr> foo: just installing it will provide basic protection but I second bezt's recommendation for enabling recidive to give harsher penalties to repeat offenders
[15:39] <foo> aaronr: thanks, looking into how to do that now.
[15:46] <foo> ok, I installed fail2ban. Seems easy enough. Watching auth logs and looking into recidive
[15:46]  * foo reads https://bpaulino.com/entries/hardening-your-server-security-with-fail2ban
[15:46] <mybalzitch> foo: you can always move ssh off the default port. that'll stop a bunch of the blind connection attempts
[15:47] <foo> mybalzitch: I did, bots found it, haha.
[15:47] <mybalzitch> oh dang
[15:47] <foo> I could move it again, I suppose.
[15:47] <mybalzitch> but yeah, my one public facing server where I have ssh exposed gets a lot of attempts
[15:48] <mybalzitch> but I think my hosting provider filters some of the worst networks
[15:48] <foo> Yeah, I had ssh on port 8822.
[15:48] <foo> sshd[9725]: Disconnected from invalid user Costi.UNDERNET 45.240.88.119 port 51900 [preauth]
[15:48]  * foo shakes head
[15:48] <mybalzitch> thats an odd one
[15:49] <mybalzitch> you should set up t-pot lol
[16:03] <patdk-l2> I just leave ssh on port 22
[16:03] <patdk-l2> my router blocks most of the offenders
[16:03] <patdk-l2> and if I would move it to another port that would be really rather annoying
[16:04] <patdk-l2> and sholin or whatever will find it in a week and everyone would be attacking it on the new port anyways
[16:30] <DArqueBishop> What might also help is to set PasswordAuthentication on sshd_config to "No", so that users are forced to use pubkey authentication. That'll greatly refuce the effectiveness of brute force attacks.
[17:04] <andol> foo: I mean, what problem are you trying to solve here? Assuming that you don't accept password logins there is really no real risk that a brute force attack will have any success in gaining access to your systems. Is it the log entries you find annoying? Or does the constant connection attempts keeping filling up sshd's connection limiting, blocking your own access?
[17:27] <foo> andol: good question, the former - just annoying. But my hunch is this is "server admin as usual"
[17:27] <foo> andol: ... eg. it's likely fine to just let it be
[17:28] <foo> andol: appreciate you digging a little further