What's so insecure about having a password authenticationed public facing ssh port

This is also fucking stupid. Now you only have one IP and getting banned somewhere means you are fucked. At least with a dynamic IP it changes to get around this. My ISP even changes the first octett after a few disconnects, so banning me will be crazily annoying.

I had one and my ISP randomly changed it after I had the same for 3 years. Caused all kinds of problems with stuff I used IP whitelist for.

Generally all of china can try passwords on your server all day long.
Not that insecure, really, but why take the risk?

Shitty ISP
Clearly this is not for you then. You can choose Complex password and fail2ban to block any bots trying incorrect passwords. You can also blacklist based on regions

I dont, it was just a recommendation for OP the fag

Nothing Just use Fail2ban and a strong password and you should be good.
If you're gonna go out of your way to whitelist the IPs you're gonna connect from, you may as well just use ssh keys.
This, blacklist IPs from all nonwhite countries.

>He thinks anyone who can reasonably break into his PC can't do a portscan.
Noice

nah, people are just to lazy to do it

Chinese bots keep spamming root, user, admin and maintenance. The password doesn't need to be strong just don't allow root over SSH and don't have admin1 as a user and you'll be fine even without fail2ban

>This, blacklist IPs from all nonwhite countries.
Where do you even get such lists? If you google for this, you get a billion butthurt leftists being upset at you for being an evil wacist against the poor, poor russians and chinese.

As long as fail2ban is on, nothing really
Even better if you change the port to a non-standard or commonly used alternative. I get about 700 failed attempts per month on my 5 servers

The annoying part isnt 1337 haxxors. Its chinese bot spammers looking for easy targets. They dont do a full port scan because they're scanning the entire internet.

People that do this are aware that anyone who can change the port know they might also have a ratelimit, so they don't bother

Attached: file.png (334x459, 156K)

IDK if you've heard, but Democrats™ hate Russia now because Putin 1337 toll army is the only reason they lost the election. Anyone calling you a racist for banning foreign IP's is trolling you.

>the only reason
No one said that but with an election this close (70K votes in 3 states) it was surely enough to flip the results, you obvious fucking russkie.

if you want to see the girl in OP get fucked, watch "Hatsu Inu"

>it was surely enough to flip the results
I don't want to instigate any further political debate, but there's one thing that I'd like to say about the matter. So, let's say the Russians did do whatever you people claim. How is this any different than say, some dipshit on Facebook or Youtube, or even a journalist for some major media company, doing the same thing. I mean, people believe what they want to believe, and there's always outside influences involved when people develop opinions. Who's to say Lord of the Rings isn't subtly influencing peoples political views? Or the current number 1 hit song? The Russian fear mongering really comes off as the behavior you'd expect from a sore loser.

They should have destroyed this board and kept the text one.

The efficacy of any possible attempts by the Russian government to impact the 2016 election aren't relevant. The point is that literally no one is going to seriously call you a racist for blocking foreign IPs.

>change ssh to nonstandard port
>fail2ban
>block all of China and Russia
There you go, you're unhackable.

only allow pkey authentication and fail2ban or you will be attacked by bots

What's so insecure about hosting a publicly facing HTTP server?

You can whitelist a specific user, too. It makes the bots work harder.

>His political believe system isn't based on Harry potter
Go home Grampa

if you limit retries and change the default port, not much
like, you still need a good password, but that's it

You know that IP is trivial to spoof right?

booksdescr.org/item/index.php?md5=08FD60C1F0B43AF4B8810899D6CB0024

The purpose of that isn't to deter a determined attacker who is targeting you specifically, it's to filter out bots which constantly target well-known ports across the entire internet. I even had one trying to conenct to my OpenVPN server once. Obviously that didn't work since they did not have a valid certificate for my server, but they were still fucking trying. Changed the port to some random shit in the 5 digit range and it has been utterly quiet, no connection attempts at all other than the legitimate ones coming from me.

Nothing. Just use keys. Passwords are for gay nigger faggots.

kek

see links in link related
github.com/trick77/ipset-blacklist/blob/master/ipset-blacklist.conf

found this in like 15 seconds of searching

Requires more work to make it secure (choosing an adequately complex password and not reusing it from anything else.) Keys are a bit more foolproof in some ways. Nothing wrong with using passwords if you do it right though.