Code: Select all
[DEFAULT] ignoreip = 127.0.0.1/8 192.168.92.0/24 #change 192.168.92 to your LAN subnet bantime = 3h # -1 = forever. Can use a number for seconds, 1d for one day, and 1w for one week (1 can be any digit, of course) findtime = 600 #backend = systemd #syslog_backend = systemd [sshd] backend = systemd bantime = 52w findtime = 7200 maxretry = 1 enabled = true
Indeed. I use denyhosts instead of fail2ban, but I have had ports 22 and 80 forwarded on my router for 15 years now to various machines (a Pi 2B for the last 6 years or so) and although quite a few have tried, none have ever got in. I usually get around 5-10 new IP addresses a day trying to get in via ssh, and lots on http. Denyhosts doesn't cover http, but my web site has strict rules about what is accessible from where and gives either a 403 or 404 to anything else.
Thanks for mentioning denyhosts. Not saying that fail2ban isn't good, but I'm going to have a look at it, since I'm always on the hunt for solutions that improve my solutions
You are very lucky to have such a low number of breakin attempts.
I had port knocking set up for a while. It works well, but I went back to using fail2ban. I found port knocking to be just a bit too annoying to use on a regular basis. That said, I liked it enough for a while to build a little script to simplify the iptables management for port knocking: https://github.com/gitbls/pktablesPaul Webster wrote: ↑Sat Jan 18, 2020 7:55 amYou could also hide it a bit more by using "port knocking" but to do it you also need client side software that supports it.
Remember though, it is only adding a bit more obscurity.