While connecting to your server through SSH is secure, the SSH daemon itself is a service that must be exposed to the internet to function properly. Therefore it become a target for brute force attacks by bots. The good practice is always to filter access by IP, but what to do if you can’t ? Port-knocking and fail2ban will be my personal answer. Let talk about the latter.
What is fail2ban ?
fail2ban is a service that create iptable rules on-the-fly after a number of unsuccessful login attempts. This will allow your server to respond to illegitimate access attempts without intervention from you.
Configure fail2ban
The main setting file is /etc/fail2ban/jail.conf
The most important variables to adjust are maxretry which sets the number of tries a client can attempt and findtime which define the opportunity window and obviously bantime.
To specify which service fail2ban should check add a block like this:
[ssh]
enabled = true
port = ssh,sftp
filter = sshd
logpath = /var/log/auth.log
If you wan to customize the regex pattern, you can look inside the /etc/fail2ban/filter.d directory. Don’t forget to reload the daemon and test your configuration.
Further Reading and sources