There were too many attacks against the sshd (thousands on a single day), so I decided to install fail2ban
. Installation is a simple apt-get install fail2ban
. Next, a copy of the file /etc/fail2ban/jail.conf
with the name jail.local
is created. A possible configuration could be:
[INCLUDES]
before = paths-debian.conf
[DEFAULT]
ignoreip = 127.0.0.1/8 # more networks if needed
bantime = 86400
findtime = 3600
maxretry = 3
backend = auto
usedns = warn
logencoding = auto
enabled = false
[sshd]
enable = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
backend = %(sshd_backend)s
This configurations bans an attacking ip address, if there are more than 3 failed login requests within an hour (findtime = 3600
). The attacker is banned for 24 hours (bantime = 86400
).