Using (private/public) keys to restrict access is definitely the best way to secure access to a server via SSH.
However it can be abit of pain if multiple people need access and they aren’t that tech savvy.
Another way to secure SSH but not have to worry about keys is by limiting the login attempts and banning a user’s IP address, if they make too many tries in x time period ( i.e. if they try a brute force password attack on you).
One tool for doing this is fail2ban .
Here’s the process:
# if epel not installed ( run below to install it ) sudo yum install epel-release sudo yum install fail2ban sudo systemctl enable fail2ban sudo vi /etc/fail2ban/jail.local #Paste in this to above file: [DEFAULT] # Ban hosts for one hour: bantime = 3600 [sshd] enabled = true # restart it sudo systemctl restart fail2ban # check it sudo fail2ban-client status # Test I get banned ! on web server ( try login multiple times 5 fails to BAN) # check this log , to check if I banned vi /var/log/fail2ban.log
To check fail2ban is working and banning IPs
A handy way for checking if your banned is try to login via SSH until your banned ( will say ‘connection refused’ ).
Then check what your IP (of machine your sat at ), probably as easy as any is use something like whatsmyiup’s site
Get another IP ( if you have a phone and hotspot function connect to that and it will give you a new IP ).
Login to ssh ( as you phone IP won’t be banned ), and look in this file for your old banned IP /var/log/fail2ban.log
References
https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-fail2ban-on-centos-7
https://www.howtoforge.com/tutorial/how-to-install-fail2ban-on-centos/