Author: Gavin Westwood Date: To: users Subject: Re: [bitfolk] SSH access to Xen Shell will have to be tightened up
On 02/03/2018 11:11, Andy Smith wrote: > <snip>
>
> There is already an SSH listening on port 922 that is not subject to
> Fail2Ban. I would rather not have SSH on port 22 at all but in the
> past I have been told this would not be acceptable because some
> people are sometimes on networks where they can't connect to port
> 922. If that would be fine with you then no need to comment but it
> might be interesting to hear from anyone who would still find this a
> problem.
>
> What are the feelings about setting port 22 Xen Shell access to
> require SSH public key auth (while leaving 922 to allow password
> authentication as well)?
My concern is that I may not always have access from a machine with the
SSH key. I wasn't aware of port 922 though, so will try to remember
this if I need it in future. I have experienced networks where trying
to use SSH over any port except 22 (well, any that I'd configured) is
blocked.
> Do those of you who've added SSH keys want an option to *require*
> SSH keys even on port 922?
I'd be happy with this. In case of an emergency where I don't have the
SSH key, I presume that I could turn this off and then log in?
> At the very least the Fail2Ban ban time is going to have to go up
> from 10 minutes to let's say 6 hours.
This could be a problem for users who genuinely mess up a few password
attempts when trying to sort out what is most likely an urgent issue
(else they would be using their server's own SSH). See Roger's/my other
email about alternative ways to catch repeat offenders - you could add
the 6 hour ban for those that continue to make attempts after X SSH
fail2ban bans.
