Warning
Use of systemd socket activation may result in a Denial of Service attack! See FS#62248 It is advised to not use socket activation on an internet facing connection for this reason. Below are a few ways to (potentially) subvert this issue:
Security through obscurity:
Using systemd unit overriding, change the port that systemd listens on:
# systemctl edit sshd.socket
The contents of the file you edit should look something like:
[Socket]
ListenStream=
ListenStream=2222
Fail2ban:
It is possible to use fail2ban to ban a single IP from causing a denial of service to the server by having it fail after a few connection attempts. Note that this will not stop a Distributed Denial of Service from taking place.
Firewall:
If you know the addresses of the machines that will be connecting to this server, using software such as ufw, firewalld, or iptables to whitelist those IPs can avoid a potential (Distributed) Denial of Service.
Pinned Comments
lsevcik commented on 2021-06-17 20:38 (UTC) (edited on 2021-06-18 00:19 (UTC) by lsevcik)
Warning
Use of systemd socket activation may result in a Denial of Service attack! See FS#62248 It is advised to not use socket activation on an internet facing connection for this reason. Below are a few ways to (potentially) subvert this issue:
Security through obscurity:
Using systemd unit overriding, change the port that systemd listens on:
The contents of the file you edit should look something like:
Fail2ban:
It is possible to use fail2ban to ban a single IP from causing a denial of service to the server by having it fail after a few connection attempts. Note that this will not stop a Distributed Denial of Service from taking place.
Firewall:
If you know the addresses of the machines that will be connecting to this server, using software such as ufw, firewalld, or iptables to whitelist those IPs can avoid a potential (Distributed) Denial of Service.