Sshguard protects hosts from brute-force attacks
Can inspect logs and block "bad" addresses by threshold
Compatible with nftables
Auto adding tables and chains and dynamic addresses to set:
table ip sshguard { set attackers { type ipv4_addr flags interval elements = { 43.x.x.230, 81.x.x.212, 103.x.7x84, 194.x.x.93 } } chain blacklist { type filter hook input priority -10; policy accept; ip saddr @attackers drop } } table ip6 sshguard { set attackers { type ipv6_addr flags interval } chain blacklist { type filter hook input priority -10; policy accept; ip6 saddr @attackers drop } }
Log
May 4 05:55:27 n1 sshd[53441]: Failed password for invalid user eagle from 43.154.x.230 port 42724 ssh2 May 4 05:55:39 n1 sshd[53447]: Invalid user rosa from 103.14x.x2.84 port 54856 May 4 05:55:39 n1 sshd[53447]: pam_unix(sshd:auth): check pass; user unknown May 4 05:55:39 n1 sshd[53447]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.143.72.84 May 4 05:55:39 n1 sshguard[53385]: Attack from "103.14x.x2.84" on service 100 with danger 10. May 4 05:55:39 n1 sshguard[53385]: Attack from "103.14x.x2.84" on service 110 with danger 10. May 4 05:55:40 n1 sshguard[53385]: Attack from "103.14x.x2.84" on service 110 with danger 10. May 4 05:55:40 n1 sshguard[53385]: Blocking "103.14x.7x.84/32" for 360 secs (3 attacks in 1 secs, after 2 abuses over 204 secs.)