Through the years, I have used fail2ban and denyhosts to block ssh brute force attacks. The modern weapon of choice seems to be sshguard, so here are instructions on how to install it:
apt-get install sshguard
Then edit /etc/sshguard/sshguard.conf and set backend to the following
BACKEND="/usr/lib/x86_64-linux-gnu/sshg-fw-nft-sets"
You can use locate nft-sets to find the exact location of the script.
Then enable sshguard auto-start, start the service and check the status of the service:
systemctl enable sshguard systemctl restart sshguard systemctl status sshguard
You should get something like this:
● sshguard.service - SSHGuard
Loaded: loaded (/lib/systemd/system/sshguard.service; enabled; vendor preset: enabled)
Active: active (running) since Wed 2020-07-01 14:37:42 CEST; 4s ago
Docs: man:sshguard(8)
Process: 72317 ExecStartPre=/sbin/iptables -N sshguard (code=exited, status=0/SUCCESS)
Process: 72326 ExecStartPre=/sbin/ip6tables -N sshguard (code=exited, status=0/SUCCESS)
Main PID: 72328 (sshguard)
Tasks: 8 (limit: 4657)
Memory: 2.9M
CGroup: /system.slice/sshguard.service
├─72328 /bin/sh /usr/sbin/sshguard
├─72329 /bin/sh /usr/sbin/sshguard
├─72330 /usr/lib/x86_64-linux-gnu/sshg-parser
├─72331 /usr/lib/x86_64-linux-gnu/sshg-blocker -a 30 -p 120 -s 1800 -w /etc/sshguard/whitelist
├─72332 /bin/journalctl -afb -p info -n1 -o cat SYSLOG_FACILITY=4 SYSLOG_FACILITY=10
├─72333 /bin/sh /usr/sbin/sshguard
└─72334 /bin/sh /usr/lib/x86_64-linux-gnu/sshg-fw-nft-sets
Jul 01 14:37:42 myserver systemd[1]: Starting SSHGuard...
Jul 01 14:37:42 myserver systemd[1]: Started SSHGuard.
Jul 01 14:37:59 myserver sshguard[72331]: Attack from "51.68.174.34" on service 110 with danger 10.
Jul 01 14:37:59 myserver sshguard[72331]: Blocking "51.68.174.34/32" for 120 secs (3 attacks in 1 secs, after 1 abuses over 1 secs.)
If you allow ssh logins using a password, installing a brute force blocker is very important. Bots are hammering every server that exposes the ssh port. In just a few seconds, sshguard had blocked two IP addresses from hammering on my server:
Jul 01 15:18:11 myserver sshguard[71891]: Attack from "23.129.64.209" on service 100 with danger 10. Jul 01 15:18:11 myserver sshguard[71891]: Attack from "23.129.64.209" on service 110 with danger 10. Jul 01 15:18:12 myserver sshguard[71891]: Attack from "23.129.64.209" on service 110 with danger 10. Jul 01 15:18:12 myserver sshguard[71891]: Blocking "23.129.64.209/32" for 120 secs (3 attacks in 1 secs, after 1 abuses over 1 secs.) Jul 01 15:18:18 myserver sshguard[71891]: Attack from "103.138.148.25" on service 100 with danger 10. Jul 01 15:18:19 myserver sshguard[71891]: Attack from "103.138.148.25" on service 110 with danger 10. Jul 01 15:18:19 myserver sshguard[71891]: Attack from "103.138.148.25" on service 110 with danger 10. Jul 01 15:18:19 myserver sshguard[71891]: Blocking "103.138.148.25/32" for 120 secs (3 attacks in 1 secs, after 1 abuses over 1 secs.)
Other good resources on sshguard:
does not work:
sshg-fw-nft-sets: Could not initialize firewall