So it’s my first time setting up a VPS. Is it to be expected to ban 54 IPs over a 12h timespan? The real question for me is whether this is normal or too much.
$ sudo fail2ban-client status sshd
Status for the jail: sshd
|- Filter
| |- Currently failed: 3
| |- Total failed: 586
| `- Journal matches: _SYSTEMD_UNIT=ssh.service + _COMM=sshd
`- Actions
|- Currently banned: 51
|- Total banned: 54
`- Banned IP list: [list of IPs]
fail2ban sshd.conf
$ sudo cat /etc/fail2ban/jail.d/sshd.conf
[sshd]
enabled = true
mode = aggressive
port = ssh
backend = systemd
maxretry = 3
findtime = 600
bantime = 86400
I have disabled SSH login via password. And only allow it over an SSH key.
$ sudo sshd -T | grep -E -i 'ChallengeResponseAuthentication|PasswordAuthentication|UsePAM|PermitRootLogin'
usepam no
permitrootlogin no
passwordauthentication no
If you have a public IPv4 address and use port 22, you’ll see lots of login attempts. I wouldn’t worry about it, given that you’ve disabled password login.
The only thing I would advise is to disable root login as well (if not done already).Edit: Just saw you’ve already disabled root login.If you’d like to reduce the noise somewhat, consider changing to a randomly chosen high port. I’ve done this with my VPS and hardly get any login attempts.
Yes, I disabled root login, but the port change is a good idea. Thanks.
port knocking is still there btw
I love the concept of port knocking, but it seems like a lot of overhead if the client apps themselves don’t support it.
Now if the SSH client could take a parameter called knock_on_this port, that would be awesome.
Good luck getting e.g. Ansible to work with that. At that point I’d just switch to a hosting provider with an actual firewall.
Setup your ssh config to use a proxy command which uses netcat to knock on the ports. Ansible will work with that.