On 2024-10-23 05:27, George Hartley via tor-relays wrote:
Any advice on this?
How many concurrent exit connections do you have? And how often do you see bad actors running scanners? It shouldn't be too onerous to rate limit on --dport 22 globally. This is no worse than blocking 22 outright, and any time you don't have a bad actor a relatively low limit on --dport 22 would hardly ever even get noticed. How many ssh connections do your average 100 people open per second? If you constantly, or even often have a bad actor on, then they will tend to take up your allowed connection count. But if its only occasional, it might be a good compromise.
I'd also make the rule to reject rather than drop. In my experience a lot of the ssh botnets tend to pout and go away when they get rejections. Drops just keep them coming back.
For everone else working on the incoming side, knockd is your friend. I found this was so much of a better solution than fail2ban.