====== SSH security ======

===== Limit by user =====
Only allow required users to login.

Mac: in "''System Preferences/Sharing/Remote Login''", choose users in the "''Allow access for:''" box.

===== Limit by IP address =====

First: deny connection from all in ''/etc/hosts.deny''
<file>
# /etc/hosts.deny
# deny from all
sshd: ALL
</file>

Second: specify the allowed IPs in ''/etc/hosts.allow''
<file>
# /etc/hosts.allow
# allow intranet IPs (192.168.1.*)
# allow IPMB IPs (172.*.*.*)
# allow Academia Sinica IPs (140.109.*.*)
sshd: 192.168.1., 172., 140.109.: allow
</file>


===== Check log files =====
Mac: 

<code bash>
grep sshd /var/log/system.log
</code>

Ubuntu:

<code bash>
grep sshd /var/log/auth.log
</code>

===== Fail2ban =====
Install [[http://www.fail2ban.org/|fail2ban]]

Ubuntu:

<code bash>
# install
sudo apt install fail2ban
# edit the conf file /etc/fail2ban/jail.conf as necessary
# for example, increase 'bantime' or reduce 'maxretry' to enhance the security level
# restart the service
sudo /etc/init.d/fail2ban restart 
# regex test
sudo fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/sshd.conf
# check status
sudo /etc/init.d/fail2ban status
# check client status
sudo fail2ban-client status
sudo fail2ban-client status sshd
# check log
cat /var/log/fail2ban.log
# unban
sudo fail2ban-client set sshd unbanip xxx.xxx.xxx.xxx
</code>

If registered at [[http://www.blocklist.de]], edit ''/etc/fail2ban/jail.conf'' to add:
<code bash>
destemail = fail2ban@blocklist.de
sendermail = fail2ban@your-server.tld
</code>