SSH Key pairs/password Fail2Ban. What is a relevant security level?

Posted October 11, 2013 4.4k views
If I have fail2ban installed is there any point to move ssh on another port than 22 or use SSH key pair instead of password? I mean, how big is the probability that anyone would pass the fail2ban protection + UFW anyway if I also have disabled the root user and have a 20+ char strong password?

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Submit an Answer
2 answers
"... how big is the probability...."

Big enough to convince most authors of security best practices that the default SSH port should be changed to a non-standard port. Despite having fail2ban installed, you can not afford to ignore the fact that bugs are an inherent part of software development. What if down the road there's a bug that disables fail2ban's protections?

RE: passwords

The consensus seems to be that key-based authentication is more secure.
OK, thanks. I just have to find out how to use password protected key with Sublime text SFTP plugin then... :-) What about port knocking techniques? Like:

${IPTABLES} -A INPUT -p tcp --dport 3456 -m recent --set --name portknock
${IPTABLES} -A INPUT -p tcp --syn --dport 22 -m recent --rcheck \
--seconds 60 --name portknock -j ACCEPT
${IPTABLES} -A INPUT -p tcp --syn --dport 22 -j DENY