While connecting to your server through SSH is secure, the SSH daemon itself is a service that must be exposed to the internet to function properly. Therefore it become a target for brute force attacks by bots. The good practice is always to filter access by IP, but what to do if you can’t ? Port-knocking and
fail2ban will be my personal answer. Let talk about the latter.
What is fail2ban ?
fail2ban is a service that create iptable rules on-the-fly after a number of unsuccessful login attempts. This will allow your server to respond to illegitimate access attempts without intervention from you.
The main setting file is
The most important variables to adjust are
maxretry which sets the number of tries a client can attempt and
findtime which define the opportunity window and obviously
To specify which service
fail2ban should check add a block like this:
[ssh] enabled = true port = ssh,sftp filter = sshd logpath = /var/log/auth.log
If you wan to customize the regex pattern, you can look inside the
/etc/fail2ban/filter.d directory. Don’t forget to reload the daemon and test your configuration.
Further Reading and sources