====== SSH security ======
===== Limit by user =====
Only allow required users to login.
Mac: in "''System Preferences/Sharing/Remote Login''", choose users in the "''Allow access for:''" box.
===== Limit by IP address =====
First: deny connection from all in ''/etc/hosts.deny''
# /etc/hosts.deny
# deny from all
sshd: ALL
Second: specify the allowed IPs in ''/etc/hosts.allow''
# /etc/hosts.allow
# allow intranet IPs (192.168.1.*)
# allow IPMB IPs (172.*.*.*)
# allow Academia Sinica IPs (140.109.*.*)
sshd: 192.168.1., 172., 140.109.: allow
===== Check log files =====
Mac:
grep sshd /var/log/system.log
Ubuntu:
grep sshd /var/log/auth.log
===== Fail2ban =====
Install [[http://www.fail2ban.org/|fail2ban]]
Ubuntu:
# install
sudo apt install fail2ban
# edit the conf file /etc/fail2ban/jail.conf as necessary
# for example, increase 'bantime' or reduce 'maxretry' to enhance the security level
# restart the service
sudo /etc/init.d/fail2ban restart
# regex test
sudo fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/sshd.conf
# check status
sudo /etc/init.d/fail2ban status
# check client status
sudo fail2ban-client status
sudo fail2ban-client status sshd
# check log
cat /var/log/fail2ban.log
# unban
sudo fail2ban-client set sshd unbanip xxx.xxx.xxx.xxx
If registered at [[http://www.blocklist.de]], edit ''/etc/fail2ban/jail.conf'' to add:
destemail = fail2ban@blocklist.de
sendermail = fail2ban@your-server.tld