Alternate SSH ports are a good plan. Internally we use pubkey ssh mostly, so flubbed passwords are much less common, but we have so many legitimate 'guest' users that password-enabled logins are still needed.
FreeBSD doesn't have 'iptables', that's mostly a Linux thing. It has 'ipfw', which I'm getting pretty good at. :-) - Brian
On Tue, May 23, 2017 at 07:08:08AM -0400, lleachii--- via 44Net wrote:
After I researched some of the options in the past (all of which required installation of more software), I decided on an iptables entries that 'flag' and DROP the IP for 5 minutes after 5 connection attempts.
This also covers scanning of the port if it takes more than 5 tries to determine it's SSH. Configuring SSH or your port forward to connect to the SSH on a non standard port reduced my scan attempts to 0%. Be careful that you type your password correctly from now on...you only get 5 attempts...lol.
- Lynwood
KB3VWG