2 Mar
2018
2 Mar
'18
11:43 a.m.
On 02/03/2018 11:11, Andy Smith wrote:
<snip>
There is already an SSH listening on port 922 that is not subject to
Fail2Ban. I would rather not have SSH on port 22 at all but in the
past I have been told this would not be acceptable because some
people are sometimes on networks where they can't connect to port
922. If that would be fine with you then no need to comment but it
might be interesting to hear from anyone who would still find this a
problem.
What are the feelings about setting port 22 Xen Shell access to
require SSH public key auth (while leaving 922 to allow password
authentication as well)?
My concern is that I may not always have access from a machine with the
SSH key. I wasn't aware of port 922 though, so will try to remember
this if I need it in future. I have experienced networks where trying
to use SSH over any port except 22 (well, any that I'd configured) is
blocked.
Do those of you who've added SSH keys want an
option to *require*
SSH keys even on port 922?
I'd be happy with this. In case of an emergency where I don't have the
SSH key, I presume that I could turn this off and then log in?
At the very least the Fail2Ban ban time is going to
have to go up
from 10 minutes to let's say 6 hours.
This could be a problem for users who genuinely mess up a few password
attempts when trying to sort out what is most likely an urgent issue
(else they would be using their server's own SSH). See Roger's/my other
email about alternative ways to catch repeat offenders - you could add
the 6 hour ban for those that continue to make attempts after X SSH
fail2ban bans.
Thanks
Gavin