[tptacek]

You get that if you believe attackers can't break your passwords, screening SSH with "port knockers" or fail2ban isn't doing anything, right?

The whole thing is kind of moot though. For other reasons, you should just wrap all this stuff up in WireGuard and never think about it again. WireGuard is silent; you can't probe it.

[kazinator]

Banning does something; it reduces traffic.

It also reduces noise in the logs, but you could get that by not logging unsuccessful login attempts.

I don't favor port knocking. I tried it many years ago; it wasn't worth it.

> should just wrap all this stuff up in WireGuard

Suppose I just bought a burner phone in a foreign country. How easily can I set this up from scratch?

SSH with passwords: just install Termux, add ssh package, and go.

[tptacek]

Use a password to encrypt a key or config you save on a cloud drive. `age` is good for this.

[kazinator]

Actually, banning reduces traffic less than you might think. These days most of the attackers assume they are going to be banned. You get a lot of singleton requests from IP addresses that don't show up again, or not any time soon. And if your banning system generates logs of its own, it just increases the log noise.

As a result of this HN discussion, I disabled all SSH logging, and turned off the associated banning system. I disabled the use of PAM by sshd, and set its logging level to FATAL (because the ERROR level stupidly still logs when sshd is not able to find a shadow entry for a user ID).

I'm confident they are not getting in by guessing a password and no longer believe there is a net saving in resources by monitoring and banning.

[fragmede]

how do you get into the cloud drive though?

[tptacek]

Were you getting into it with an SSH password? Then it doesn't matter for this discussion.

The point isn't that passwords are evil, it's that SSH passwords are evil.