fail2ban brute force question

November 30, 2014 1.3k views

I have fail2ban installed on my Ubuntu droplet and it is working great. I have noticed that I receive notifications upwards of 100 banned IP's each day. I guess it is a brute force attack that is changing the ip of the attacker. Is there something else I could be doing to stop these attacks? Most of the attacks look like they are targeting sasl and ftp.

2 Answers

In an effort to decrease the likelihood of a successful brute force crack attempt, I have severely increased the ban times for repeated attempts. I ban the attacking IP for a year after the second time it trips a ban.

There isn't a lot more you can do except to change the ports you're using to something other than the standard port numbers.

The number of crack attempts used to bother me until I noticed that most of them attempting to gain access via "standard" user names, none of which I use, and I disabled root access. As long as you have a strong password or use public key access, you shouldn't have much to worry about. The only other thing then was the number of ban notification emails I was getting. I now just automatically file those for reference, so I don't see them unless I want to, and I really don't think about them much anymore.

Have another answer? Share your knowledge.