Hello,
Why should you use Fail2ban when you do the following settings in SSH?
Is it only used to block the hacker's IP address?

Thank you.

fail2ban is a different thing. Read the documentation: https://github.com/fail2ban/fail2ban.
bans IP addresses conducting too many failed login attempts.
The main goal is to reduce the load on the computer, simply by disabling that external host in the firewall.

1 members found this post helpful.

AI hacking tools and script automation have made dictionary attacks insanely easy to automate. If you allow password access without a cover mechanism (2FA etc.) then giving an attacker enough time ensures that they WILL be able to break into your system.
Fail2ban mitigates that risk by detecting the attempt based upon failed attempts from the same IP and blocking that IP. Breaking in using a dictionary attack MAY still be possible, but will take orders of magnitude longer in the attackers best case. Using fail2ban avids giving the attacker the time he needs to succeed. We want to not only strip from them the success, we want to prevent the collection of information about failure!

Fail2ban, properly used, improves your security profile. It does not make you totally secure, but it reduces the risk from that one kind of attack greatly.

I recommend it for hosts providing services where clients may access your host from networks that you may not fully control.
Normally a client only machine (laptop, most desktops) do not export remote access logins and have no need to fail2ban if they run a well configured firewall.

1 members found this post helpful.

It has been awhile but the last time I was attacked the script kiddies had written around fail2ban and was automatically switching IP addresses. I had quite a list of banned IP addresses. I switched to solely using a VPN and turned off ssh access from the outside...

2 members found this post helpful.

Because all that does is prevent "root" from logging in.

Unless 'root' is (and will be) the only user account, you're open to access attempts.

Yes, it blocks a IP address that fails to authenticate successfully after 'x' number of tries

I agree, or at least block outside connections

I love using a VPN, but only if I control (to an extent I can trust) both ends.

Th only completely secure machine I know of is held on a military base, in a locked room, with a guard on the door who is monitored by the guard on the hall and BOTH are monitored remotely by a security response team. The room has isolated power, no networking, and no one is allowed in with any electronic devices or recording equipment (to include a pen!) without top secret clearance, a verified need to know, and a required briefing before and after access. They get in-briefing, escorted in, there is a strict time limit on access, do a lookup and read the information, and get escorted out and debriefed. And no, I am not one who ever got to see what is on that machine.

A VPN does not secure your machine, it only secures certain information over the network while it is in transit.
Fail2ban requires a firewall, and does not secure your machine: it only provides one step to secure your primary access protocol.
Your firewall does not secure your machine, it only helps secure certain kinds of network threats.
A security concentration (about 30 Quarter hours or ~20 Semester hours at University) is a field of study and non trivial, and most of it probably does not pertain to the OP.

If you need advice on security, it might be useful to discuss what you want to secure, why, and what work you are willing to do to provide security. With a bit (lot) more information we might provide more accurate and targeted advice. Fail2ban is one common sense tool to enhance protection of your ssh connection from dictionary attacks or hacking over and above the ssh/sshd settings and features. The information that would help us determine if it is appropriate or sufficient for a specific individual case is lacking.

OP: is there more information you need or additional question related to this subject that you need us to discuss?

Hello,
Thank you so much for your reply.
With this situation, would you still recommend Fail2ban?

Hello,
Thank you so much for your reply.
Can the hacker guess the SSH account other than root?

If it's open to the Internet, they'll definitely try if given the opportunity.

SeeSo basically, any host you can access using ssh where any host on your internal network access or be accessed by the internet should use recommended secure settings for sshd and other services, and should use fail2ban to detect and react to dictionary attacks.

I have used in in enterprise settings and in my home network. IF you only have a single laptop and cell phone, or no devices that can be accessed using ssh, then you probably do not need it. (You MAY need other solutions, because you are dealing with different threats.)

1 members found this post helpful.

It always depend on the structure of your network and the services you use (if you have a firewall, vpn,....).
Fail2ban is a tool to manage failed login attempts, if you have a lot of them you ought to use it. If you can't see those attempts you don't need to protect your host against that.


They do their best, they have a huge list of "regular" accounts and you can be sure they will try them out.

1 members found this post helpful.

I put a web server on the internet from my home DMZ. Within 22 minutes I was getting attacks. Fail2ban had blocked half of Asia, parts of Russia, subnets in North Africa and one zone south in Africa (I cannot recall the country right now), a small portion of South America, a couple of subnets in North America, and one nasty guy in Australia within a week. We are talking THOUSANDS of individual blockings!

I had great fun automating whois and mapping the origin nodes. Eventually I set up a honeypot just for attracting and logging threats for fun.

1 members found this post helpful.

Hello,
Thank you so much for all replies.