SSH Authentication - Bruteforce attack prevention

Question

I use certificate/key based ssh authentication with sshd running on non standard port.

Do I still need to install denyhosts/fail2ban or log analysis based detection?. Do I get any advantage?

Answer 1

If you have completely disabled password-based login (PasswordAuthentication = no in sshd_config) then brute-force attacks become a lot harder if not impossible - the client would have to supply a large number of keys, none of which are related to an account or to each other.

Nevertheless, you may still want to block IPs that originate large amounts of invalid login traffic - a possible DoS attack vector.

Denyhosts is a "log analysis based detection" solution; it scans the sshd auth log for login attempts. This works for both passwords and public keys.

Fail2ban goes one step further and allows you to update firewall rules with these results; it is better suited to prevent DoS attacks than denyhosts is.

Answer 2

Do you really need ssh access from anywhere on the Internet? If you can narrow it down to a couple of fixed IP ranges like work or home and limit SSH access only to them, you'll be better off.

I realise that isn't great if you're out and about and need access from a random wireless network on a random IP range. That's what a vpn is for, say openvpn with two factor auth (one of which is a signed client cert) to get to an environment you can access your boxes from using SSH.

Two factor vpn, will give you more security than cert based SSH and gives you only one place to have to do emergency security updates if, for example, a huge hole in Openssl was found. Then you can just update your openvpn server rather than a panicky, rushed fix to all your hosts running ssh.