So it’s my first time setting up a VPS. Is it to be expected to ban 54 IPs over a 12h timespan? The real question for me is whether this is normal or too much.

$ sudo fail2ban-client status sshd
Status for the jail: sshd
|- Filter
|  |- Currently failed: 3
|  |- Total failed:     586
|  `- Journal matches:  _SYSTEMD_UNIT=ssh.service + _COMM=sshd
`- Actions
   |- Currently banned: 51
   |- Total banned:     54
   `- Banned IP list:   [list of IPs]

fail2ban sshd.conf

$ sudo cat /etc/fail2ban/jail.d/sshd.conf 
[sshd]
enabled = true
mode = aggressive
port = ssh
backend = systemd
maxretry = 3
findtime = 600
bantime = 86400

I have disabled SSH login via password. And only allow it over an SSH key.

$ sudo sshd -T | grep -E -i 'ChallengeResponseAuthentication|PasswordAuthentication|UsePAM|PermitRootLogin'
usepam no
permitrootlogin no
passwordauthentication no
  • pgo_lemmy@feddit.itEnglish
    17·
    1 hour ago

    Normal background noise. ssh is a well known protocol/port and scanning is automated.

  • clb92@feddit.dkEnglish
    9·
    1 hour ago

    Seems likely. Cheap VPSs are often used by beginners, so they’re prime targets for hackers. Known VPS IP-ranges probably get hammered constantly by hackers, who are hoping you set up a service temporarily without enabling any security, or perhaps with a weak temporary password of 1234 or something.

  • BlueBockser@programming.devEnglish
    9·
    1 hour ago

    If you have a public IPv4 address and use port 22, you’ll see lots of login attempts. I wouldn’t worry about it, given that you’ve disabled password login. The only thing I would advise is to disable root login as well (if not done already). Edit: Just saw you’ve already disabled root login.

    If you’d like to reduce the noise somewhat, consider changing to a randomly chosen high port. I’ve done this with my VPS and hardly get any login attempts.

    • Tanka@lemmy.mlOPEnglish
      6·
      1 hour ago

      Yes, I disabled root login, but the port change is a good idea. Thanks.

      • surewhynotlem@lemmy.worldEnglish
        1·
        17 minutes ago

        I love the concept of port knocking, but it seems like a lot of overhead if the client apps themselves don’t support it.

        Now if the SSH client could take a parameter called knock_on_this port, that would be awesome.

  • Decronym@lemmy.decronym.xyzBEnglish
    42·
    14 minutes ago

    Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:

    Fewer Letters More Letters
    IP Internet Protocol
    SSH Secure Shell for remote terminal access
    VPS Virtual Private Server (opposed to shared hosting)

    3 acronyms in this thread; the most compressed thread commented on today has 7 acronyms.

    [Thread #278 for this comm, first seen 7th May 2026, 12:00] [FAQ] [Full list] [Contact] [Source code]