On second thought lets delete the last post. I was thinking there are a few ways or variants to do all this (maybe all are good).
The keys idea is probably one of the easiest and most secure. I am not clear on everything yet so I can't do it until a few days pass. No one has explained how you log in with it.
Using a macro program to log in is a help. It executes macros in windows. I just tested it and it can be programmed to execute Putty then send key strokes to log you in and give you a beep sound once you are logged in. So you can set the largest possible length of random password and logging in is a simple shortcut key operation done perfectly every time. It took me 45 minutes to get it to work only because I was having trouble doing a load which would set the background colour of the Unix screen to white. Setting The Macro Program to log min in to WinSCP took about 5 minutes.
Setting up a special regular user for login is better than root login. The Macro Program would help because you could create a very ling random user ID and a very long random password and still log in perfectly every single time.
Fail2Ban is a good idea. I tried setting it to block the IP address for 24 hours. However it does not seem to work. Some Bots come back after 3 hours and try again but get kicked out on the first fail. I discovered today you an set it to ban permanently (see below).
This idea can basically be done with fail2ban (see below). This idea may be good too but a lot of work up front. In the past I was really good with bash, sed and awk. I was good enough that I probably could write a script to read the iptables file and the /var/log/secure file and create a new iptable file that had all the IP addresses to block with no duplication of IP addresses (skipping my ip address of course). I am assuming there is no limit to the number I can put in. I could have cron run this script maybe once a month. Eventually it would have all IP addresses of all brute force hacker attempts that failed with maybe only a few additions a month after that (if that). Unfortunately it would take me a few months to get all these skills back - LOL. Yeah, I use to spend 3 hours a day 7 days a week perfecting these skills for a few years there. I was a bit obsessed with shell scripting I think. I don't plan on doing this again.
I was reading about rolling the log file to keep it small. It could probably be set up to coordinate with the above mentioned script. Unfortunately I don't know how to do it yet.Updates:
I plan on doing as much as I can on my list to increase security but here is what I have done with fail2ban.
**I set the bandtime = -1. This bans the IP address permanently until you restart fail2ban.
**I set the ignoreip = parameter to ignore my public IP (I tested with a 1 minute bantime and it works).
**I also I added the main ip from my windows ipconfig screen to "ignoreip =" just to feel safe since I am not an expert.
**I will check my public IP has not changed each morning using google search "what is my ip address". If it has I will know to add the new one to my list in "ignoreip ="
**I also am using the Macro Program to log in now and it basically never messes up the login regardless of how long it is so I am not concerned.
**To avoid a large IP list I decided not to use the special programming from this page http://www.looke.ch/wp/list-based-perma ... h-fail2ban
This programming allows you to maintain the list across restarts of fail2ban. It was modified to remove duplicate ip addresses.
The reason is I already have a very large password and may increase it when I shut off root login probably this week. This link says max password size is unlimited? http://superuser.com/questions/148971/w ... nux-system
So for now things are better. The brute force login attempts has clearly dropped from 27 per hour when I first put fail2ban in down to about 1 or 2 per hour (major drop).
I don't know what it was before fail2ban. I cleared the btmp file and the secure file in /var/log since they were huge (need to learn to roll the logs).