Fail2ban is theater on a properly configured server --- and, increasingly since the mid 2010's, you've had to go out of your way to have a badly configured SSH server. Either way, it's something you have to add specifically to your server, so if you're going to do that, use the same energy to just make sure your server is configured properly. Yeah, yeah, I know it "keeps your logs clean". So does grep, though.

Thanks, I was unaware of this---I initially (naively?) thought that being banned would at least deter some wannabe attackers. In your experience, does it do anything if I start collecting some reports on repeat offenders and notify their ISP? Or is that just more wishful thinking of my part?

NavinF

Eh I’ve scanned the entire IPv4 space and tested default passwords over ssh from both AWS and my Comcast connection at home and never got banned from either one. I’m sure it can happen, but it’s no big deal.

The GP is right: If you use ed25519 keys, looking at logs and playing whack a mole with countries is just security theater for people who are new to the internet and get scared when their MOTD says “500 failed logins”.

arjvik

How long did scanning the entire IPv4 space take?

chockchocschoir

masscan with the right setup (namely hardware + drivers but also connection obviously) can scan the entire IPv4 space (+ all ports) in ~5 minutes.

Source Code: https://github.com/robertdavidgraham/masscan

Article from PoC || GTFO with more internal details on how it works: https://www.alchemistowl.org/pocorgtfo/pocorgtfo15.pdf (Page 66) [Note: PDF is both a valid PDF + valid ZIP file with source code]