# dropbear as safety-net ssh on different port, what USE vars?

## jeffk

I am seeing some indications of ssh brute-force attacks on my remote servers:

```
ssh_exchange_identification: Connection closed by remote host
```

I haven't enabled fail2ban yet for concern of being locked out if something doesn't work right.

I am passingly familiar with dropbear from using OpenWRT, and that seems like a good option to run as a secondary ssh on a different port, in case anything ever happens to openssh sshd.

Availability and security are prime concerns. I was considering USE=static, so that broken dependencies would not.

The following are the default USE vars for dropbear on my ~amd64, can any dropbear afficianados comment on what options work best for this use case?

```
# emerge dropbear -pv

[ebuild  N    ] net-misc/dropbear-0.52-r1  USE="pam syslog zlib -bsdpty -minimal -multicall -savedconfig -static"
```

Thanks.

----------

## gerdesj

I take it that you want a practically guaranteed way to get back in despite an update that takes out ssh. Also you want it to be a bit secure.  

Some ideas:

Move your SSH to another port.  That will drop most of the rubbish - it takes time to scan a system completely and these buggers don't have time.

Use Fail2Ban - its pretty good but also pretty useless against the distributed scanners - ie pretty much all of the ones in the wild.  I've seen over 10 million machines used to do the scanning.  Also smtp ...

Listen on two ports - 22 is a dummy and always fails, perhaps with a huge delay.  The other one is the real one.

Use keys or kerberos and not just passwords.

Use dropbear and ssh on a different port with some of the above options.

Use OpenVPN and don't let ssh listen on the outside at all

Use OVPN + SSH on an outside port as well but not 22.

Etc etc etc

Cheers

Jon

PS - the last one is my choice.  However I also have Puppet running on all my Gentoo boxes (30+) and once I did have a bit of a snag with ssh getting broken.  I had to deploy xinetd.telnet to get back in!  It has only happened the once in 7 years though (so far)

----------

