Securing SSH server against bruteforcing
Solution 1:
Fail2ban and Port Knocking should address most of your needs.
Changing your SSH port and only allowing Key-based authentication are also recommended.
It can be argued that you may reach a point of diminishing returns in adding additional security measures, but then again, it's up to you to decide when you're "secure enough".
It's also a good idea to disallow root login.
Solution 2:
There is no substitute for secure passwords AND key-authentication. That being said, Fail2Ban is a great tool for banning IPs of users who attempt to authenticate too many times. It's also available as a pre-built package for most distros. Be warned, you can accidentally get yourself banned, so make sure you have a recovery white-listed IP too or easy console access...
Fail2Ban has several good examples of how-to configure everything you asked... it does not however, have a universal repository of bad addresses. I don't think there is such a repository anyplace due to the ease of getting another IP (dhcp renew/bot-net attacks/etc...). I would also disable logging in via ssh using common 'administrator' type usernames (root/admin/administrator/sysop/etc..) as these are the most commonly banged on.
Solution 3:
I've stopped brute force attacks with:
- fail2ban
- sshd.config:
- PasswordAuthentication No
- PermitRootLogin No
- Limiting SSH Connect rates with iptables (http://www.debian-administration.org/articles/187)
Solution 4:
There are a number of good suggestions offered here. I respectfully suggest that three things should make this relatively secure:
- Run the sshd on a random high port. The bots typically only go after port 22 and variations on port 22 like 2222.
- Disable password based authentication in the sshd config:
UsePAM no
- Only authenticate with this site via pre-shared SSH key pairs. Man on ssh-keygen to get started with PKI based authentication.
Hope this helps.