I agree with Keith. I would find it problematic if I couldn't have password access to the Xen shell from time to time to resolve issues. I also use ipset on my VPS which I find flexible and powerful in keeping unwanted callers out. I'm using port 22 on the VPS but with key access only.

Richard.

On 2 March 2018 13:08:18 CET, Keith Williams <keithwilliamsnp@gmail.com> wrote:
I travel quite a lot and do not always have access to all my keys. Although I do not often have to access the Xen shell, it would be very difficult if both were key only. It makes absolute sense to make port 22 key only, but if 922 were password as well it would be helpful. I use nonstandard ports for access to SSH on my VPS and as soon as I changed it I noticed a big change in my fail2ban logs.
One other thing I have done is to set up ipset, No one should ever attempt to connect to port 22 on my machines so I have iptables add any that do to an ipset which is then blocked from any port. But that may not be possible for the Bitfolk set up

On 2 March 2018 at 19:48, Gavin Westwood <bitfolk-lists-2015@gavinwestwood.uk> wrote:
On 02/03/2018 11:11, Andy Smith wrote:
> Hi,
>
> The level of SSH scanning is getting ridiculous.
>
> Here's some stats on the number of Fail2Ban bans across all Xen
> Shell hosts in the last 7 days:
<snip>

Something that you, Andy, and others with a large number of internet
facing servers might be interested in is this article that I just found
about sharing the fail2ban information with your other servers:

https://www.blackhillsinfosec.com/configure-distributed-fail2ban/

I hope that's helpful.

Thanks

Gavin

_______________________________________________
users mailing list
users@lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/users



--
Keith Williams

คืนใดมืดที่สุด จะเห็นดาวชัดที่สุด


 
Farang Can Learn Thai www.farangcanlearnthai.com

Keith's Place  www.keiths-place.co.uk
 
Tailor Made English   www.tmenglish.org