The default state of 22/tcp on a public IP is “constantly probed by every botnet on the planet.” Even with key-only auth and fail2ban, the noise floor of failed SSH attempts is real — my auth.log picks up 3,000–5,000 hostile …
I joined a new client’s box one morning to set up SSO via SSSD. By the afternoon, no one — including me, including root — could SSH in. The PAM stack had been rearranged subtly in /etc/pam.d/common-auth, and a …
Open /var/log/auth.log on a public-facing server and you’ll see thousands of lines per day — failed logins, accepted logins, sudo events, cron registrations. The signal you usually care about (who’s brute-forcing me, from where, against which users?) is buried in …
I work from a laptop that sleeps a lot. SSH sessions die when the laptop closes, when the wifi blips, when I move between coffee shops. For years my workflow involved screen -r at the start of every session and …
I’ve been running fail2ban on this Oracle box since the day I provisioned it. Six months ago I added CrowdSec because I wanted the community blocklist for SSH brute-force IPs. For three months they coexisted and I assumed it was …
Most “hopping through bastion” SSH workflows use agent forwarding (ssh -A): the bastion gets temporary access to your local SSH keys via the agent socket, and from there it can SSH onward. It’s convenient, it’s the default in …