I posted the latest logwatch report to the list. I believe those pam login failures are sshd connection attempts. Currently we're running SSHD on port 222. That redirection is so well known now that we might as well run it on 22. I would suggest that we chose a more random, arbitrary port and see if that cuts back on the hits.
-- Jonathan
Limit ciphers&macs, then set password authentication to no, and the hits go down a bunch.
On Mon, Feb 2, 2026, 10:12 AM Jonathan Hutchins hutchins@tarcanfel.org wrote:
I posted the latest logwatch report to the list. I believe those pam login failures are sshd connection attempts. Currently we're running SSHD on port 222. That redirection is so well known now that we might as well run it on 22. I would suggest that we chose a more random, arbitrary port and see if that cuts back on the hits.
-- Jonathan _______________________________________________ KCLUG mailing list -- kclug@kclug.org To unsubscribe send an email to kclug-leave@kclug.org https://kclug.org/mailman3/postorius/lists/kclug.kclug.org/
On 02/02/2026 2:18 PM CST John McPherson xeniphon@gmail.com wrote:
Limit ciphers&macs, then set password authentication to no, and the hits go down a bunch
The attempts are already failing, I think we need a firewall rule or iptables, and move the port to 359 or something. -- Jonathan
Does anyone have a valid use to be connected via ssh? Why not just block all ip addresses except the one or so that need it? Sent from my iPhone
On Feb 2, 2026, at 4:34 PM, Jonathan Hutchins hutchins@tarcanfel.org wrote:
On 02/02/2026 2:18 PM CST John McPherson xeniphon@gmail.com wrote:
Limit ciphers&macs, then set password authentication to no, and the hits go down a bunch
The attempts are already failing, I think we need a firewall rule or iptables, and move the port to 359 or something.
Jonathan _______________________________________________ KCLUG mailing list -- kclug@kclug.org To unsubscribe send an email to kclug-leave@kclug.org https://kclug.org/mailman3/postorius/lists/kclug.kclug.org/
I've had good success with fail2ban, tweaked to be much more aggressive than normal.
You could also put a tailscale IP on it and limit SSH to that.
You can also adjust what logwatch reports and ignores.
On Mon, Feb 2, 2026, 16:34 Jonathan Hutchins hutchins@tarcanfel.org wrote:
On 02/02/2026 2:18 PM CST John McPherson xeniphon@gmail.com wrote:
Limit ciphers&macs, then set password authentication to no, and the hits go down a bunch
The attempts are already failing, I think we need a firewall rule or iptables, and move the port to 359 or something. -- Jonathan _______________________________________________ KCLUG mailing list -- kclug@kclug.org To unsubscribe send an email to kclug-leave@kclug.org https://kclug.org/mailman3/postorius/lists/kclug.kclug.org/
-
Billy Croan -
John McPherson -
Jonathan Hutchins -
Josh Herr