I recently changed my SSH port from the default 22 to 49152 on Ubuntu 24.04, but now Fail2ban isn't banning any IPs after failed login attempts. I've updated the SSH configuration file and allowed the new port through UFW, but despite my attempts to log in with incorrect passwords, Fail2ban doesn't seem to register any failed attempts. Before switching ports, Fail2ban did a great job of blocking over 500 unwanted IPs. I'm wondering what could be causing this issue and how to fix it.
4 Answers
Have you verified that the fail2ban configuration is correctly set to monitor the new SSH port? Sometimes it defaults to log files from the default port, so you'll want to ensure that it’s pointing to your new port in the jail.local file.
Make sure you've restarted the SSH service after changing the configuration. Sometimes minor errors can also affect SSHD logging, so check if your failed login attempts are showing in /var/log/auth.log. If they’re not, that’s likely the root of the problem.
Changing SSH ports does improve security by reducing access from common attack vectors. You definitely should be able to run services on ports you choose, as long as they’re configured correctly. Don't shy away from using non-standard ports—it’s a good practice!
It sounds like you've effectively reduced the number of bots trying to attack your SSH, which is why you’re not seeing many blocks anymore. When you switched from the default port to something like 49152, most automated scripts that scan for SSH are likely not hitting that port. So, if it feels like nothing’s happening with Fail2ban, it might just be because the scripts aren't even trying to log in on that port.
True, but I’m still worried because I tested by attempting to ban my own IP and Fail2ban didn’t catch that.
Exactly! It’s not just about the scripts not finding you, I want to know why my own login attempts aren’t being logged.
Yeah, I restarted the service and didn’t see any errors, but I’ll double-check the logs.