Increased abuse activity on my server

tech-lists tech-lists at
Wed Mar 7 16:56:21 UTC 2018

On 07/03/2018 07:19, User Hasse wrote:
> Hello All
> I belive I see an increased amount of abuse attempt on my server by several 100%
> in the last couple of months. Anybody else noticed ?

You'll get that especially if you run on the standard port. You need a
layered approach. man 5 sshd_config.

1. put ssh on a non-standard port [but this won't stop some scanners
scanning all ports until they get a ssh response] Make sshd log auth
attempts to a file that gets cleared every week because you don't want
to be DOSed by your log files filling up. Compress your logs daily.

2. if you can, allow only certain users in /etc/ssh/sshd_config via the
AllowUsers statement.

3. if you can, wrap those sshd users to known ips using the same
AllowUsers statement. Syntax is user at for example. I
think, but am not sure, that you can have multiple statements for the
same (and other) users. There's also AllowGroups if you want to group
your ssh users. There's DenyUsers for logins like root you want to
specifically protect.

4. make sshd listen on only one interface [because sshd by default
listens to them all]

5. if you're dual-stack, make sshd either inet or inet6 [by default
it'll listen on both]

6. make ssh access via public key only. I think (though I haven't tried)
to make only certain logins able to log in with a (tunneled) password,
and all others public key only.

7. RSA keys are becoming depreciated. I think ed25519 is the most modern.

This is what I do, anyways. I'm sure you can fine tune this more.


More information about the freebsd-questions mailing list