On Sun, Aug 10, 2014 at 11:25:36PM +0500, Alexander Merniy wrote:
Move ssh to a non-standart port + fail2ban - best solution.
No, it is not. The best solution is to enumerate the ranges from which legitimate ssh connections will originate and firewall *everything* else. Yes, this means (gasp! horror!) actually looking at your own logs and understanding what they tell you, but anyone capable of using "grep", "sort", "uniq" et.al. should be able to do that. The second-best solution is to enumerate the ranges from which legitimate ssh connections will never originate and firewall those. The Spamhaus DROP list is a good starting place for everyone. The Okean listings of Chinese and Korean network space are good second stops. And ipdeny.com *was* a good third stop, for which I haven't found an equally-usable replacement just yet. Both of these are proactive approaches that -- if used properly and well-maintained -- may largely eliminate the need to fiddle around with reactive approaches like fail2ban. They also work with other ports/protocols/services, e.g., IMAPS. ---rsk