Aside from the other recommended advise, I would suggest if possible,
move your ssh to a non-standard port. This will block a ton of
script kiddies.
On 22-05-19 12:12, Steven Barthen via Fail2ban-users wrote:
Hello
I'm using fail2ban with shorewall to get rid some nasty scanners.
As the amount is getting worse, I increased the time for my bans on
SSHD to 7 days as I recently got 1400+ connections a day and I
wanted it to stop.
But I experienced that even with that 7 days ban, the keep
connecting every ~ 10min.
Still ending up with 30-40 connections per IP.
So I cleaned my jail.local an only kept default, sshd and the
issues stay same.
Im using "shorewall" as banaction, and it works well for the most part.
I can use "shorewall show dynamic" to see all the IP that are
banned ending up there.
BUT after some time, ~9min the ban just disappears from "shorewall
show dynamic" list. And the fail2ban doesnt show an "unban" event.
Shortly after that the IP connects, is detected and banned again.
I manually added IP's to the shorewall banlist and I can say that
they don't disappear the same way the fail2ban IP's do.
so for examle this list with custom and fail2ban IP's
Chain dynamic (5 references)
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
