Tuning fail2ban's recidive jail to stop distributed SSH brute-force attacks
A server administrator noticed persistent SSH login attempts despite having fail2ban enabled and a non-default SSH port configured. The attacks used rotating IP addresses from domestic ISP dynamic IP ranges, evading standard fail2ban SSH jail rules. Investigation revealed that the default recidive jail settings were not suited to catch this slow, distributed pattern of repeated offenders. The administrator reconfigured the recidive jail, setting a 30-day observation window with a threshold of three prior bans to trigger a one-week long-term block. After the change, the 'Currently banned' count in the recidive jail began rising within days, with no false positives observed among legitimate users during the monitoring period.
This is an AI-generated summary. ShortSingh links to the original source for the complete article.
Discussion (0)
Log in to join the discussion and vote.
Log in