Hi Nick I agree, many ways to skin a cat and yes this topic has become fragmented. That Chinese bot and my servers cross paths almost every 20 minutes of every day. That 116.x.x.x range seems to be very poorly managed indeed. I used to in the old days move things to obscure ports but through many years of learning I run everything on standard ports. I guess each one will always have his own way of looking at security and no one way is ever right either.
KR Mitchell From: Nick Howitt <[email protected]> Date: 09 September 2016 at 9:22:53 AM To: Mitchell Krog Photography <[email protected]> Cc: Grant <[email protected]>, [email protected] <[email protected]> Subject: Re: [Fail2ban-users] Persistent ssh bots The thread has become a bit fragmented, but it is also worth remembering that f2b is not very effective against a particular type of ssh attach. There is at lease one Chinese bot and perhaps a Russian one (I've stopped monitoring it as I don't open port 22) which come from a whole subnet and they round-robin their IP's which limits the number of attempts you see from any particular IP. In turn this limits the effectiveness of f2b. Really the best thing to do is up your security and don't just rely on user/pass authentication. Moving ports also helps as these bots just keep to 22 but if your new port is discovered then it will give you little more protection than port 22. A number of different ideas have been put forward - OpenVPN (or some other VPN), port knocking, SSH keys - which all will make a significant difference, although SSH keys will not necessarily stop someone hammering away at you. Nick On 2016-09-09 07:49, Mitchell Krog Photography wrote: > Saw one reply this morning about changing SSH to a different port. Not > sure why people go changing their SSH port from 22 to something else, > does not achieve anything, might just make you feel more secure. Go > read about security through obscurity. If someone thinks you are > hiding something you give them reason to go digging deeper looking for > it. > > All my SSH runs on port 22 across 9 different servers. They are all > accessed using non password logins using certificates. They all run > Fail2ban and all attackers get perma-banned. One attack of 3 attempts > and it goes into recidive forever with the bantime set to -1and also > gets reported to bad IP’s.com. > > In addition I run a daily cron which download sets of IP’s from > BADips.com [2] and generates a hosts.deny file on every server which > keeps out 99% and then the other 1% are caught and reported to > badips.com [2] which strengthens the badips.com defense system too. > > You can get that script from here - > https://github.com/mitchellkrogza/fail2ban-useful-scripts [3] > > Be harsh with recidive when it comes to SSH if anyone but you is > trying to connect to your SSH port they are sniffing and up to no > good, block them out and be done with them. > > KR > Mitchell > > From: Nick Howitt <[email protected]> > Date: 09 September 2016 at 8:07:41 AM > To: Grant <[email protected]>, [email protected] > <[email protected]> > Subject: Re: [Fail2ban-users] Persistent ssh bots > >> Shut the WAN SSH port completely then use OpenVPN to get on to your >> LAN and access SSH as if you are connected to the LAN. >> >> On 08/09/2016 22:15, Grant wrote: >> >>> What do you guys do about ssh bots that are repeatedly banned >>> every 10 minutes? >>> >>> - Grant >>> >>> >> > ------------------------------------------------------------------------------ > >>> _______________________________________________ >>> Fail2ban-users mailing list >>> [email protected] >>> https://lists.sourceforge.net/lists/listinfo/fail2ban-users [1] >> >> > ------------------------------------------------------------------------------ > >> >> _______________________________________________ >> Fail2ban-users mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/fail2ban-users > > > Links: > ------ > [1] https://lists.sourceforge.net/lists/listinfo/fail2ban-users > [2] http://badips.com > [3] https://github.com/mitchellkrogza/fail2ban-useful-scripts
------------------------------------------------------------------------------
_______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
