There were too many attacks against the sshd (thousands on a single day), so I decided to install
fail2ban. Installation is a simple
apt-get install fail2ban. Next, a copy of the file
/etc/fail2ban/jail.conf with the name
jail.local is created. A possible configuration could be:
[INCLUDES] before = paths-debian.conf [DEFAULT] ignoreip = 127.0.0.1/8 # more networks if needed bantime = 86400 findtime = 3600 maxretry = 3 backend = auto usedns = warn logencoding = auto enabled = false [sshd] enable = true port = ssh filter = sshd logpath = /var/log/auth.log backend = %(sshd_backend)s
This configurations bans an attacking ip address, if there are more than 3 failed login requests within an hour (
findtime = 3600). The attacker is banned for 24 hours (
bantime = 86400).
With a working iptables configuration,
fail2ban can be restarted using
systemctl restart fail2ban.
/var/log/fail2ban.log or inspecting the firewall tables with
iptables -S, a dedicated client program can be used to verify the status of
fail2ban-client status sshd
I had some trouble to validate
fail2ban, because the attacking test host used its IPv6 address and these addresses are not recognised by
fail2ban yet. Should the number if IPv6 attacks increase, SSHGuard with its IPv6 support might be a sensible alternative.