| 25 Feb 2025 |
|  Federico Damián Schonborn changed their profile picture. | 01:35:55 |
| 26 Feb 2025 |
|  tactfulvessel joined the room. | 00:02:22 |
|  samw joined the room. | 09:50:42 |
 hexa | the ssh connect rate on my oracle box is super high | 20:16:42 |
| hexa | like multiple per second | 20:16:45 |
| hexa | varying ip addresses, few penalties issued by sshd | 20:17:04 |
| hexa | they mostly fail in preauth | 20:17:43 |
| hexa | so now i reduced the kexAlgorithms to just sntrup761x25519-sha512@openssh.com and now I get close to 100% kexalgo mismatches | 20:17:59 |
| hexa | how does everyone else deal with that? | 20:18:59 |
| hexa | the first thought would be fail2ban, maybe crowdsec | 20:20:26 |
| hexa | but crowdsec is of course a bit weird 🙂 | 20:20:51 |
| hexa | I don't want to trust a random community of people | 20:21:04 |
| hexa | another idea would of course be a bastion host | 20:22:11 |
| hexa | but that would make accessing the host a bit more tedious, given ssh jumps etc. | 20:22:27 |
 dgrig | It's not foolproof, but changing the default port away from 22 helps with a lot of bots | 20:22:28 |
| hexa | also a valid choice | 20:24:05 |
| hexa | so what happens is that due to too many connection requests ssh also sometimes drops my connect attempts | 20:25:54 |
| hexa | mildly annoying 🙂 | 20:26:06 |
| hexa |
sshd[1969703]: error: beginning MaxStartups throttling
| 20:26:57 |
| hexa | due to that | 20:26:58 |
| dgrig | All the things you mentioned help however. I personally change the ssh port, enable fail2ban and for a lot of hosts don't have ssh enabled over the internet since wireguard works good enough for me. Other people I know enable ssh only over tor hidden services, but I don't trust tor starting fast enough after a restart /shrug | 20:27:01 |
 magic_rb | I only allow ssh over wireguard period | 20:28:33 |
| dgrig | (waiting for a new circuit after a restart can be a bit annoying if you're trying to ssh right after a restart in my opinion) | 20:28:36 |
