In gmane.linux.gentoo.user, you wrote: > On Sunday 15 November 2009 08:21:55 Walter Dnes wrote: >> On Sat, Nov 14, 2009 at 07:07:28PM -0500, Richard Marza wrote >> >> > Thank you for the information, I did find that denyhost and fail2ban in >> > threads but there were issues with it not working properly. Some users >> > created custom scripts to get the job done correctly. >> >> Have you considered not allowing password-based logins at all for ssh? >> Use RSA keys instead. It's much easier, and much more secure. > > fail2ban and/or denyhosts is still very useful with key-only auth, even if > only to get the spam out of messages and into the iptables logs
I've hardened ssh by doing the following: * Only allow certain users to ssh * Not allowing passwd login, but only RSA * Switching ssh to a non-standard port This has dramatically reduced the amount of attacks my box gets. It's down to about 2 attacks per year, which is good enough for me. Another trick I learned about, but haven't implemented is changing the version string in sshd by patching the source. Ssh vunarability attacks actually check the version string, so if you change it to something unique, the scripts won't even try to get into your box.
