So it’s my first time setting up a VPS. Is it to be expected to ban 54 IPs over a 12h timespan? The real question for me is whether this is normal or too much.

$ sudo fail2ban-client status sshd
Status for the jail: sshd
|- Filter
|  |- Currently failed: 3
|  |- Total failed:     586
|  `- Journal matches:  _SYSTEMD_UNIT=ssh.service + _COMM=sshd
`- Actions
   |- Currently banned: 51
   |- Total banned:     54
   `- Banned IP list:   [list of IPs]

fail2ban sshd.conf

$ sudo cat /etc/fail2ban/jail.d/sshd.conf 
[sshd]
enabled = true
mode = aggressive
port = ssh
backend = systemd
maxretry = 3
findtime = 600
bantime = 86400

I have disabled SSH login via password. And only allow it over an SSH key.

$ sudo sshd -T | grep -E -i 'ChallengeResponseAuthentication|PasswordAuthentication|UsePAM|PermitRootLogin'
usepam no
permitrootlogin no
passwordauthentication no
  • Phoenixz@lemmy.caEnglish
    6·
    14 hours ago

    That’s very little actually

    Move your SSH port from the standard 22 to one of the higher ones, like 53822

    It’ll remove 99.something% of your attacks as nobody bothers with those ports.

      • nibbler@discuss.tchncs.deEnglish
        4·
        8 hours ago

        so everyone can open them… so what? attacker who already gained local access can crash your original sshd and spin up his own one? admittedly a thinkable scenario… but can this even be abused in a pubkey auth scenario?

        • mavu@discuss.tchncs.deEnglish
          3·
          8 hours ago

          I don’t see a reason to worry about that. Only matters if the machine is alreay compromised, and then it doesn’t matter either.