Re: How to push back against repeated login attempts?

[Christopher Barry <cbarry@symbiaudix.com>]

On Tue, 02 Mar 2021 09:33:38 +0000
oregano@disroot.org wrote:

>Considering running a freedom box or similar, I have a RPi running
>Buster outside my home router's DMZ. It was discovered within a short
>time (minutes or hours) of first being setup. It now has fail2ban
>running with defaults. Over about the last month, fail2ban logs show
>about 35,000 "unbans" from about 3700 unique IPs. This equates to many
>more failed login attempts. From auth.log there are many attempts for
>root login, and a wide variety of other username login or connection
>attempts, at a slow, steady pace with an attempt at least every minute
>or two.
>
>I've seen
>https://www.debian.org/doc/manuals/securing-debian-manual/index.en.html
>and https://www.fail2ban.org/wiki/index.php/MANUAL_0_8 but... can
>someone point me towards a TL;DR getting started getting even guide?
>Fail2ban seems oriented towards individual actions like sending emails
>to "abuse" contacts, as if they don't already know... I'm looking for
>things like optimum settings to waste these probers' cycles, how to
>request NSA to call in a drone strike, or how to join in with
>"community action" to discourage these probes (partially in jest).

1. disable password auth and allow high-bit-count keys /only/.
2. put daemon on a non-standard high port.
3. know who /needs/ to connect, allow /only/ their IP addresses, then
either drop, or keep the connection hanging for every other address.

Keeping /their/ connection hanging reduces the speed in which they can
scan, and this will eventually get you off of their lists.