fail2ban does not seem to ban an IP after repeated failed ssh login attempts

debian ubuntu fail2ban

The following issue can be useful for more information: https://github.com/fail2ban/fail2ban/issues/2765, although it relates to more recent versions of fail2ban than the one mentioned in the question.

By default, the sshd filter doesn't ban repeated failed passkey login attempts for an existing/valid user.

On more recent versions (although not yet available in 0.11.1), the sshd filter has a publickey parameter than can be set to any in order to capture these failed attempts:

[sshd]
publickey = any
...

Otherwise, there is the option to use ddos (equivalent to your older ssh-dos filter?) or aggressive mode for the sshd filter (which would catch the 'connection closed' log entries followed by unsuccessful login attempts):

[sshd]
mode = aggressive
...

Finally (and this should be useful on any fail2ban version not having the publickey parameter in the sshd filter), you could add the following regex to your filter as suggested here:

[sshd]
failregex = %(known/failregex)s
            ^Failed publickey for <F-USER>.+</F-USER> from <HOST>

This worked for me under debian 10.

[sshd]
failregex = %(known/failregex)s
            ^.*Connection closed by authenticating user [a-z][-a-z0-9_]* <HOST> port \d+ \[preauth\]

Related

Php 5.6.5 won't work very well
Is it safe to delete Gralog Indexes
MySQL connection via SSH tunnel on MacOS doesn't work [closed]
Sending email with postfix doesn't reach recipient
Update specific list of packages with yum
pktmon pcapng not working error unknown command
How to Set Up Time Synchronization with NTP on Ubuntu 20.04.1 LTS
Is it possible to install GUI on Ubuntu VPS then do remote desktop from Windows?
How to delist DNSBL?
XPS Docking DL-6000 upgrade
Kana input with Japanese 106/109 key keyboard in Ubuntu 18.04
Why root password exist if I can be root with sudo -s or sudo -i, it need only sudo password so?