Comment

Comment on How to harden against SSH brute-forcing?

zr0@lemmy.dbzer0.com ⁨2⁩ ⁨months⁩ ago

harden sshd
use fail2ban or even better CrowdStrike
use a tool like the following to have a next-gen security solution: github.com/mrash/fwknop

Sort:hotnew top

om1k@sopuli.xyz ⁨2⁩ ⁨months⁩ ago
did you mean crowdsec instead of crowdstrike?

source
- zr0@lemmy.dbzer0.com ⁨2⁩ ⁨months⁩ ago
  Fml… yes, I meant CrowdSec. Thanks for the hint
  
  source
- whodatdair@lemmy.blahaj.zone ⁨2⁩ ⁨months⁩ ago
  Vietnam stare
  
  source
sugar_in_your_tea@sh.itjust.works ⁨2⁩ ⁨months⁩ ago
harden sshd

More details:

require keys to login

don’t allow login as root

That should be plenty, but you could go a bit further and restrict the types of algorithms allowed (e.g. disallow RSA if you’re worried about quantum attacks). For this, I recommend a subtractive config (e.g. HostbasedAcceptedAlgorithms=-rsa-*). This is way over the top since an attacker is unlikely to attack the cipher directly, but it could be part of an attack.
source
dev_null@lemmy.ml ⁨2⁩ ⁨months⁩ ago
Your answer to “how to harden SSH?” is “harden SSH”?

I know your two other points gave concrete suggestions, but it’s pretty funny you suggested to “harden sshd” when that is what OP is asking how to do.

source
- zr0@lemmy.dbzer0.com ⁨2⁩ ⁨months⁩ ago
  Yeah, I see your point. No use to repeat the same you can read in other comments or in those 274772 guides online. I was trying to imply to just generally harden ssh because then brute-force attempts should be no issue, unless you log everything and the disk space gets maxed out :D
  
  source