iptables to drop for a while IPs with recently failed connections
Solution 1:
Without parsing logfiles, you can't know if an ssh login attempt was succesful. Fortunately you don't have to parse those logfiles yourself. fail2ban can do this for you. I generally jail an IP for a week after 3 failed login attempts.
Solution 2:
2020 Update
Nowadays I just use sshguard
(on containers) or fail2ban
with ipset
(vm's / bare metal) - all with public key ssh
listening on a non standard port. I still limit access to this port with iptables
to my static ip's. My fail2ban
config blocks attackers for 2 days with bantime = 48h
. I still use a vpn
but am switching to wireguard
.
See also:
SSH Hardening to add 2 Factor Authentication
Onlykey SSH setup to put your
ssh
keys onto a Security Key. It also works withgpg
keys. It is much more secure than having your private keys on your pc. It is physically more secure than a Yubikey due to Onlykey being PIN protected.How to back up your 2FA secret keys with KeePassXC
Use a disposable Qubes vm for generating your keys
I also use Onlykey to secure KeepassXC as a HMAC-SHA1
2nd Factor. It can also be used with Linux PAM to login to your system & be required for sudo
.
With this setup I do not worry about ssh
being exploited.
First of all do not have ssh
listen on port 22
to reduce the chance of your port being found by automated scanners.
Also use psad
to automatically block hosts which scan your machine for a configurable amount of time (1 hour by default).
A very simple solution is to just rent a 64 or 128 meg
openvz
container & configure openvpn
so you have a fixed ip address
& then limit your iptables
rule to --source vpn.ip.address
on the host you wish to protect.
A better solution is to completely stealth your ssh
port withfwknop
. There is then no need to run fail2ban
as your ssh
port is closed until you send a gpg
signed & encrypted packet from the fwknop-client
which will open your firewall for a configurable amount of time (30 seconds by default). You can also configure fwknop
to only accept certain ip addresses (such as your vpn
).
I have some quite extensive notes here for fwknop
.
If you are serious about ssh
security you should also be using ed25519
keys. More notes here for using secure ciphers with openssh
. Another a good choice is tinyssh
which has no dependency on openssl
& is secure by default.
All of the software mentioned here exists in Alpine Linux which also benefits from address space layout randomization via PaX
in it's Grsecurity kernel.