gone through the standard hardening steps(disable root/password login, listen on some other port, firewall configuration etc) but I am wondering if there is more I can do.
One idea I have is to make all the production servers part of the work VPN and have sshd listen only on the work VPN interface. work VPN is implemented using wireguard so extending it to production servers and keeping everything updated will be bit of a pain so I don't know if this is a good idea..
This is already some good standard to be honest. You could provide the server with a fake SSH access on port 22, so people/bots that attempt would not care to explore further ports. And luckily nmap only reports common ports functions. If you run ssh on e.g. port 80, nmap will report it as "web/HTTP" stuff
for the legacy systems we use a bastion server that's only accessible via VPN
There is also https://en.wikipedia.org/wiki/Port_knocking, so you can hide the ssh port (even on a non-standard port)
Обсуждают сегодня