Exactly. My IP changes way too often to rely on that.

Another option then is to enable iptables rate limiting on your ssh port, it will at least prevent log flooding.

_________________
Paid support
How to ask for help
1. Give details of your problem
2. Post any errors
3. Post relevant logs.
4. Don't hide details i.e. your domain, it just makes things harder
5. Be polite or you'll be eaten by a grue

Raise it above 10000 and use CSF to stop portscans. You need to choose a port that isn't already commonly used by some service, or it will already be on the bot lists. They didn't find your port, it was dumb luck.

In my setup, I have SSH listening on 22 and another port >10000. the >10000 port is publicly accessible and 22 is restricted to my ISP's subnets since I have a dynamic IP. Listening on 22 gives me the convenience to not always have to specify the port and >10000 allows me to login if I'm not at home.

This is enough to get 0 break-in attempts on SSH in the 1+ year I've had this setup. Of course, I also have all the typical measures, no root logins, public key authentication only, etc.

Locking it down to your isp's subnet is a good idea I never thought of that *has a static ip*

_________________
Paid support
How to ask for help
1. Give details of your problem
2. Post any errors
3. Post relevant logs.
4. Don't hide details i.e. your domain, it just makes things harder
5. Be polite or you'll be eaten by a grue

I've always wanted to do that, but every couple of years Comcast does something crazy and I get a new IP address with a completely different IP, in a block I never knew they had. So if you can do it, great, but be careful to have a backup plan in case you get locked out.

Use LISH if you ever get locked out, if it only happens ever couple of years you could get away with it.

_________________
Paid support
How to ask for help
1. Give details of your problem
2. Post any errors
3. Post relevant logs.
4. Don't hide details i.e. your domain, it just makes things harder
5. Be polite or you'll be eaten by a grue

Annoyingly, my local cable provider recently changed my home address during a maintenance window, after it having essentially been static for, I think, almost 10 years. I always knew it could theoretically happen, but it had been so long I had certainly taken it for granted.

My Linodes generally have very limited general access, but complete access for my home address which was an easy configuration to block all the various random attempts while not getting in my way. Of course I had the benefit of having such a static-like address.

Anyway, LISH is exactly how I handled it. A quick LISH connection to each node, adjust to the new address, and keep going.

-- David