Thursday, September 28, 2023
 Popular · Latest · Hot · Upcoming
rated 0 times [  1] [ 0]  / answers: 1 / hits: 3054  / 2 Years ago, thu, january 13, 2022, 1:56:06

I have the current solution, fail2ban and forbid SSH as root in the sshd configs. Its not as effective as I need in certain situations. Most particularly in gateway servers, that have limited memory and disk space (because they are supposed to be lightweight)

Disabling login as root in the sshd configs, still permits the bots to connect, specify login as root, and try 3+ times. Fail2ban then blocks their IPs after 5 failures.

However, the incessant volume of bots then leaves 8 sshd threads in memory at any time, 3GB auth.log of failures (30% of my disk space), huge memory overheads for fail2ban to filter and process them all, and slow response when we attempt to login because there are 50,000+ ip blocks each connection must be filtered through first, and 20-48MB of memory used for loggin and security are on swap because of the system demands to handle the volume of requests.

The preferable solution is: "When an SSH connection attempts to login and user=root" then "sshd disconnect". Any attempt to specify the user root results in dropping the connection.

This would reduce the unnecessary processing to filter all the brute force attacks out. I cannot use keys-only access because it causes the login to by-pass the required 2 factor authentication.

More From » security


personally, I prefer to change ssh listening port, it can avoid this problem.
And it is really easy to do.

[#11320] Friday, January 14, 2022, 2 Years  [reply] [flag answer]
Only authorized users can answer the question. Please sign in first, or register a free account.

Total Points: 106
Total Questions: 148
Total Answers: 129

Location: Monaco
Member since Sun, Jan 1, 2023
10 Months ago