Update: Since I don’t have a static IP at home I was a little hesitant to limit ssh to a specific IP, but I had an epiphany that I’m sad to admit took me so long. I logged in and changed the VPS firewall to allow ssh from my home IP only. Since I can login to that console from anywhere I can update my SSH allow IP to my home IP as needed and I left the ssh to rate limited allow all in the server. This is effective, but it does not address my concern on how these attacks are even happening and to further my knowledge I would like know if anyone can help.
So, I have setup public keys, disabled password authentication in sshd_config/ssh_config, disabled weak and insecure algorithms like nistp, disabled root login and set my “AllowUsers” list. Somehow fail2ban is still logging hundreds of access attempts that are bumping my CPU usage. How are attackers able to seemingly bypass public key requirements to even attempt passwords? PAM maybe? If thats it, how can I secure it without breaking mail? I believe Mailinabox needs PAM, but maybe I’m wrong. Maybe I should enable 2FA in PAM? I didnt think it was necessary since I strictly use public keys anyway, but maybe I was wrong. I thought these attackes were on the login page at first, but they’re almost all ssh attempts. I have attempted to ssh with passwords and it rejects me, so I even tried telnet and had no luck. I may not be the worlds greatest Linux admin, but this is not my first rodeo and I have never had an issue blocking password logins before. I’m sure I’m just missing something, but I’m afraid to do anymore and break my server before I ask the experts.
Most of these below are root and blocked by the “AllowUsers” list, but 12 hours ago it was a bunch of “ftpadmin, alexie, abcdefg, trevor” etc etc, but it still shows my point. How are they able to even attempt password ssh?
Dec 11 13:22:00 box sshd: User root from 184.108.40.206 not allowed because not listed in AllowUsers
Dec 11 13:22:00 box sshd: Received disconnect from 220.127.116.11 port 36124:11: Bye Bye [preauth]
Dec 11 13:22:00 box sshd: Disconnected from invalid user root 18.104.22.168 port 36124 [preauth]
Dec 11 13:22:01 box sshd: Invalid user bcr from 22.214.171.124 port 36398
Dec 11 13:22:02 box sshd: Received disconnect from 126.96.36.199 port 36398:11: Bye Bye [preauth]
Dec 11 13:22:02 box sshd: Disconnected from invalid user bcr 188.8.131.52 port 36398 [preauth]
Dec 11 13:22:22 box sshd: User root from 184.108.40.206 not allowed because not listed in AllowUsers
Dec 11 13:22:22 box sshd: Received disconnect from 220.127.116.11 port 36498:11: Bye Bye [preauth]
Any help is appreciated, this has been driving me nuts for a couple of days and everything I tried seems to do absolutely nothing to help.