Fail2ban stopped banning IP after disabling password auth. for SSH


I have found that when you disable password authentication in /etc/ssh/sshd_config
PasswordAuthentication no

Fail2ban starts to let IPs go through. In the context of a DOS attack, this means an attacker can send ssh requests to your server without being banned. You can do it yourself to check it. create Id_rsa pub and private keys, install it on your client. Then, disable password authentication in sshd_config. Then,
go to a device without id_rsa installed with a different IP just in case, and send as many ssh user@host requests as you want to your server. The IP address will never be banned.

To solve this problem, I have opened /etc/fail2ban/filter.d/sshd.conf
I replaced mode=normal with mode=aggressive

Then, in /etc/fail2ban/jail.local
I replaced filter = sshd with filter = sshd[mode=aggressive]

service fail2ban restart

Is it the right/only way to do it?

If that is the case, maybe we should consider hardening fail2ban on hestiaCP.

1 Like

I allow ssh access from a limited amount of IP’s only. All the other will get banned right away.

1 Like