First VPS — Is 54 SSH bans in 12 hours normal?
from tanka@lemmy.ml to selfhosted@lemmy.world on 07 May 11:35
https://lemmy.ml/post/46987997
from tanka@lemmy.ml to selfhosted@lemmy.world on 07 May 11:35
https://lemmy.ml/post/46987997
So it’s my first time setting up a VPS. Is it to be expected to ban 54 IPs over a 12h timespan? The real question for me is whether this is normal or too much.
$ sudo fail2ban-client status sshd Status for the jail: sshd |- Filter | |- Currently failed: 3 | |- Total failed: 586 | `- Journal matches: _SYSTEMD_UNIT=ssh.service + _COMM=sshd `- Actions |- Currently banned: 51 |- Total banned: 54 `- Banned IP list: [list of IPs]
fail2ban sshd.conf
$ sudo cat /etc/fail2ban/jail.d/sshd.conf [sshd] enabled = true mode = aggressive port = ssh backend = systemd maxretry = 3 findtime = 600 bantime = 86400
I have disabled SSH login via password. And only allow it over an SSH key.
$ sudo sshd -T | grep -E -i 'ChallengeResponseAuthentication|PasswordAuthentication|UsePAM|PermitRootLogin' usepam no permitrootlogin no passwordauthentication no
#selfhosted
threaded - newest
Normal background noise. ssh is a well known protocol/port and scanning is automated.
Yeah, I thought so much. But I sort of wanted to be sure. ^^
Pretty much on the low side, but you’ve not been up long. Using key based login you’re fine.
If you have a public IPv4 address and use port 22, you’ll see lots of login attempts. I wouldn’t worry about it, given that you’ve disabled password login.
The only thing I would advise is to disable root login as well (if not done already).Edit: Just saw you’ve already disabled root login.If you’d like to reduce the noise somewhat, consider changing to a randomly chosen high port. I’ve done this with my VPS and hardly get any login attempts.
Yes, I disabled root login, but the port change is a good idea. Thanks.
port knocking is still there btw
I love the concept of port knocking, but it seems like a lot of overhead if the client apps themselves don’t support it.
Now if the SSH client could take a parameter called knock_on_this port, that would be awesome.
Good luck getting e.g. Ansible to work with that. At that point I’d just switch to a hosting provider with an actual firewall.
Setup your ssh config to use a proxy command which uses netcat to knock on the ports. Ansible will work with that.
Seems likely. Cheap VPSs are often used by beginners, so they’re prime targets for hackers. Known VPS IP-ranges probably get hammered constantly by hackers, who are hoping you set up a service temporarily without enabling any security, or perhaps with a weak temporary password of 1234 or something.
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:
5 acronyms in this thread; the most compressed thread commented on today has 7 acronyms.
[Thread #278 for this comm, first seen 7th May 2026, 12:00] [FAQ] [Full list] [Contact] [Source code]
Totally normal
I got 135 blocks via sshguard over the first 12 hours today. So, yeah, welcome to the Internet! 😄
Just 54? Those are rookie numbers bro. You need to open up a few more ports. LOL Honestly tho, seems pretty standard. You could change the SSH port which might lower some of the noise but bots now days are pretty sophisticated and it would be trivial to just scan your server and find out which port is SSH. If you want to stop tailing fail2ban nervously on the daily, you could use the hosts.allow/hosts.deny which would lock it down even further. Just remember to set host.allow first then host.deny. You could also deploy any number of secondary security packages like CrowdSec, Wazuh, et al.
That’s not a lot even. I’ve seen much worse. Also with password disabled. Some idiot bots still try to send it whole password lists.
Just move your SSH to another port, that is enough to get rid of most of the nuisance scans. Or allow SSH only on IPv6. That usually covers it (The IPv6 address space is too big to scan, unless you have a TLD directly pointing to your IPv6)
What I personally do is run an overlay VPN like tailscale and allow SSH in only via that.
Same. I use Tailscale as an overlay on the pFsense box and the server itself.
Yes, it is normal.
My SSH is only accessible thru a self hosted WireGuard VPN with a dedicated IP. Zero fails.
How do you deal with the risk of loosing the VPN (and thus the access)?
The VPN SSH rule is configured at provision level firewall which I can access through HTTPS and temporarily change the whitelisted IP addresses. Never have done this, though. WireGuard is very stable and it is also behind another firewall.
Yeah. Sounds about right.
First of all disable root login over ssh. Second, move your ssh from port 22 to another port of your liking. Third, disable password authentication altogether and use only solid certificates.
I deactivated the SSH daemon on my VPS and only use Tailscale SSH