Re: How to push back against repeated login attempts?

To: debian-arm@lists.debian.org
Subject: Re: How to push back against repeated login attempts?
From: Paul Wise <pabs@debian.org>
Date: Tue, 2 Mar 2021 10:18:19 +0000
Message-id: <[🔎] CAKTje6G0QkJ2khwryKY=JDb35iN8BQt3uoGH05BpKEtsf1AMvw@mail.gmail.com>
In-reply-to: <[🔎] 76c60168d5cc46ec0b91eaf50250c0e4@disroot.org>
References: <[🔎] 76c60168d5cc46ec0b91eaf50250c0e4@disroot.org>

On Tue, Mar 2, 2021 at 9:51 AM oregano@disroot.org wrote:

>How to push back against repeated login attempts?

This isn't specific to ARM devices so it is a bit off-topic here, but...

The first thing to do is to ensure password authentication to SSH is
disabled and replaced with key or certificate authentication.

To avoid (some of) the entries in the system logs there are a few
different options:

Just disable or uninstall the SSH daemon.

Ban access to the SSH daemon except from authorised IP addresses.

Switch the SSH daemon to another port than 22, then switch again when
the next botnet finds that, repeat.

Use the CrowdSec alternative to fail2ban, which shares the behavior of
malicious IPs with a community and in return receives a list of
malicious IPs other folks have shared.

https://crowdsec.net/
https://news.ycombinator.com/item?id=24826792

Move the SSH daemon to a Tor onion service so that only those who know
the address can access it and you can still access it if
fail2ban/crowdsec block your own IP address.

Some combination of the above.

-- 
bye,
pabs

https://wiki.debian.org/PaulWise

Reply to:

References:
- How to push back against repeated login attempts?
  - From: oregano@disroot.org

Prev by Date: How to push back against repeated login attempts?
Next by Date: Re: How to push back against repeated login attempts?
Previous by thread: How to push back against repeated login attempts?
Next by thread: Re: How to push back against repeated login attempts?
Index(es):
- Date
- Thread