How to cut down on ssh attacks
Knute Johnson
groups at knutejohnson.com
Mon Jun 16 14:32:13 UTC 2025
On 6/16/25 08:55, Robert Moskowitz via ubuntu-users wrote:
> I just installed logwatch on my mailserver.
>
> the server has been running for a couple weeks, so it is 'known'. Ran a
> test of logwatch daily and the sshd authentication failures lists
>
> 575 lines, each with multiple attempts!
>
> In one day!
>
> ufw does specify 'limit' port 22:
>
> 22/tcp LIMIT Anywhere
> 22/tcp (v6) LIMIT Anywhere (v6)
>
> anything else I can do to slow this nonsense down?
>
> I tried my regular of moving sshd to another port, but MiaB has ssh so
> embedded in its functionality that I gave up running through all the
> changes in it I need on moving sshd. Don't ask my opinion on this
> dependency, but MiaB is otherwise worth the pain....
I try periodically to figure out some way to stop the attempts but the
internet is probably 90% spam and hackers these days. I gave up on
fail2ban but I still occasionally look at my logs and block some IPs
with the firewall. I think it is a waste of time and just creates
aggravation. I think the best thing you can do is only allow public key
authentication and use a good key, 4096 bit RSA or ED25519 keys. The
chance of anybody but a government getting in that way is very small.
I have a remote mail and web server. I block port 22 to everybody but
my address block from home. I did open some other ports so I can log in
from anywhere, that cut down on some of the attacks.
--
Knute Johnson
groups at knutejohnson.com
More information about the ubuntu-users
mailing list