Harassed by ssh connection attempts, how to make fail2ban more strict?

chmike asked:

I use the default fail2ban configuration for ssh connection attempts on my Debian server hosting my web and mail servers.

I already switched away from the default ssh port and things were quite for a long time. It seam that my server got caught in the radar of some hacker in control of a bot network. I’m suddenly harassed by hundreds connection attempts for some days now on this secondary port.

Most of these connection attempts try invalid user names. There is no chance they get in with these, but I would prefer to keep them away.

I can’t install port knocking since I use ansible to automatically configure the server. I don’t know how to combine the two.

An intermediate solution would be to make fail2ban more penalizing with ssh connection attempts using a bad user name. Since I use ssh/config I never make a mistake with my user name and I can always connect with my phone if needed where the user name is also registered. That would be nice for dovecot as well.

Is it possible to configure fail2ban to jail an IP for a very long time if the connection failed because the user name was invalid ?

I’m running Debian 10 (Buster). Fail2ban is version 0.10.2. Ssh is version 7.9p1.

My answer:

Just change the bantime to whatever time period you want, or -1 to ban forever.

bantime is expressed as a number of seconds, or -1. Recent versions (I think 0.9.x or later) accept suffixes for longer time periods, such as minute, hour, day, or week.

View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.