Comment on How to harden against SSH brute-forcing?
Dima@feddit.uk 1 week ago
For security disable password authentication - use public key instead, disable root login via ssh - use sudo or su from another user.
To reduce the number of attempts of others trying to get in change the ssh port and/or set-up fail2ban.
sugar_in_your_tea@sh.itjust.works 1 week ago
You can also broaden this to a region. You may still want to access SSH from various places around your country (e.g. when visiting family or friends), but likely won’t ever need to from most of the rest of the world, so block everything except IPs from your region (or regions you care about, e.g. any VPSs you have).
7toed@midwest.social 1 week ago
No if you’re doing that, use a VPN through your firewall. Local traffic is a fair exception as this can only ever be a device on your network, but that depends on your threat model (as those local devices could be compromised). Opening to “your regions” IP range opens you to a lot more than LAN access…
sugar_in_your_tea@sh.itjust.works 1 week ago
Sure. I’m just assuming that you’d want to access it from areas in your region, like at a friend or family member’s house. This is especially true if you or one of them has DHCP from their ISP.
If you only ever truly need it at home, then sure, do that. In fact, for something like SSH, you could probably create a Wireguard endpoint that’s accessible almost anywhere and connect to that before logging in via SSH.
My point is to not make it more restrictive than you need, otherwise it’ll just be frustrating and you’ll end up disabling whatever protections you have. You can get a lot of value with a broad ban on troublesome areas (e.g. I don’t visit most of the places OP has in their logs, so those would be banned), and then fine-tune the rest w/ something like fail2ban.