Is this a Brute force attack

Have a look at fail2ban. I always set it up to ban IPs after multiple failed ssh login attempts.
 
1. as @Dunuin has suggested you should take a look at setting up fail2ban:
Code: 
apt install fail2ban
systemctl enable fail2ban
systemctl start fail2ban
that should cover the SSH port, you can also set it up for the GUI [0] in case that's exposed as well.

2. as @spirit suggested pve-firewall can be configured to only allow SSH port to be accessed by a whitelist of IP addresses (for example your home/business IP address can access it and nobody else can) [1]
for example:
Code: 
[RULES]
...
IN SSH(ACCEPT) -i net0 -source 10.0.0.1,10.0.0.2,10.0.0.3 # accept ssh for listed IPs

3. if IP whitelisting is not an option for some reason, then it can also help to move the SSH port from the default 22 to something bigger [2] (it would reduce the amount of automated bots finding your exposed SSH port).
for that you'd edit /etc/ssh/sshd_config and /etc/ssh/ssh_config and change the Port directive, followed by restarting the service: systemctl restart ssh

[0]: https://pve.proxmox.com/wiki/Fail2ban
[1]: https://pve.proxmox.com/pve-docs/pve-admin-guide.html#_firewall_rules
 
oguz said:
3. if IP whitelisting is not an option for some reason, then it can also help to move the SSH port from the default 22 to something bigger [2] (it would reduce the amount of automated bots finding your exposed SSH port).
for that you'd edit /etc/ssh/sshd_config and /etc/ssh/ssh_config and change the Port directive, followed by restarting the service: systemctl restart ssh
Click to expand...
is it supported when you have a proxmox cluster ?
I think some task like live migration still established tunnel through ssh on hardcoded port 22 ? (or maybe does it have changed recently ?)
 
You must log in or register to reply here.
Top Bottom
Back