If I have fail2ban installed is there any point to move ssh on another port than 22 or use SSH key pair instead of password? I mean, how big is the probability that anyone would pass the fail2ban protection + UFW anyway if I also have disabled the root user and have a 20+ char strong password?
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
Click below to sign up and get $100 of credit to try our products over 60 days!
OK, thanks. I just have to find out how to use password protected key with Sublime text SFTP plugin then… :-) What about port knocking techniques? Like: <br> <br>${IPTABLES} -A INPUT -p tcp --dport 3456 -m recent --set --name portknock <br>${IPTABLES} -A INPUT -p tcp --syn --dport 22 -m recent --rcheck
<br> --seconds 60 --name portknock -j ACCEPT <br>${IPTABLES} -A INPUT -p tcp --syn --dport 22 -j DENY
<b>“… how big is the probability…”</b> <br> <br>Big enough to convince most authors of security best practices that the default SSH port should be changed to a non-standard port. Despite having fail2ban installed, you can not afford to ignore the fact that bugs are an inherent part of software development. What if down the road there’s a bug that disables fail2ban’s protections? <br> <br>RE: passwords <br> <br>The consensus seems to be that key-based authentication is more secure.