iptables to drop for a while IPs with recently failed connections

Without parsing logfiles, you can't know if an ssh login attempt was succesful. Fortunately you don't have to parse those logfiles yourself. fail2ban can do this for you. I generally jail an IP for a week after 3 failed login attempts.


2020 Update

Nowadays I just use sshguard (on containers) or fail2ban with ipset (vm's / bare metal) - all with public key ssh listening on a non standard port. I still limit access to this port with iptables to my static ip's. My fail2ban config blocks attackers for 2 days with bantime = 48h. I still use a vpn but am switching to wireguard.

See also:

  • SSH Hardening to add 2 Factor Authentication

  • Onlykey SSH setup to put your ssh keys onto a Security Key. It also works with gpg keys. It is much more secure than having your private keys on your pc. It is physically more secure than a Yubikey due to Onlykey being PIN protected.

  • How to back up your 2FA secret keys with KeePassXC

  • Use a disposable Qubes vm for generating your keys

I also use Onlykey to secure KeepassXC as a HMAC-SHA1 2nd Factor. It can also be used with Linux PAM to login to your system & be required for sudo.

With this setup I do not worry about ssh being exploited.


First of all do not have ssh listen on port 22 to reduce the chance of your port being found by automated scanners.

Also use psad to automatically block hosts which scan your machine for a configurable amount of time (1 hour by default).

A very simple solution is to just rent a 64 or 128 meg openvz container & configure openvpn so you have a fixed ip address & then limit your iptables rule to --source vpn.ip.address on the host you wish to protect.

A better solution is to completely stealth your ssh port withfwknop. There is then no need to run fail2ban as your ssh port is closed until you send a gpg signed & encrypted packet from the fwknop-client which will open your firewall for a configurable amount of time (30 seconds by default). You can also configure fwknop to only accept certain ip addresses (such as your vpn).

I have some quite extensive notes here for fwknop.

If you are serious about ssh security you should also be using ed25519 keys. More notes here for using secure ciphers with openssh. Another a good choice is tinyssh which has no dependency on openssl & is secure by default.

All of the software mentioned here exists in Alpine Linux which also benefits from address space layout randomization via PaX in it's Grsecurity kernel.