Hey everyone! I'm running a small project website on a VPS, just for fun, and I've been diving a bit into system administration. While checking out the logs, I was shocked to see a ton of login attempts, especially from one IP in China that tried over 8,000 times in just a few days. I've already taken steps like disabling root login and requiring key-based authentication for users. I've also blacklisted some of the worst offenders. I'm curious about what others typically do with blocked IPs—is it common to permanently block them or transfer the list to new servers later? It seems like a lot of these attempts are automated, so wouldn't banning them permanently be a bit pointless?
3 Answers
You might want to consider geo-blocking. If your site's audience is specific to certain regions, you can prevent access from countries that aren't relevant to your services.
Fail2ban is definitely the way to go! You can set it to ban IPs for longer periods, which can reduce repeated attempts. I recommend adjusting the timeout to something like days or weeks—it helps a lot.
I suggest using a combo of geo-blocking and a tool called fail2ban. Geo-blocking helps keep unwanted traffic out completely, while fail2ban monitors your SSH logs and temporarily bans IPs that keep failing login attempts. I've found it really effective.
Yeah, a longer timeout can slow down those bots significantly. Just keep in mind that making your server available also means some level of risk, since it's out there on the internet.