I like occasional discussions on these things. People sharing tips, experiences, pitfalls, etc. It gets everyone in one place at around the same time to do it, like a small digital convention.
I would guess the subtext here is related to the 23andme breach.
The problem with fail2ban is that an attacker who has a botnet of significant size at their disposal won't even be slowed down. Not saying it's worthless, but it's not a silver bullet.
Not saying fail2ban is in any way state-of-the-art security or even best-practice at this point, but if they're burning an IP after a few bad attempts, that's going to be more effective than letting them try tens of thousands per IP, no? Security in layers of course, so even a few [dozen, hundred] failed SSH attempts should probably raise an alarm or put things into an elevated security mode automatically...but also don't leave SSH open to the public, especially not on :22.
> but also don't leave SSH open to the public, especially not on :22
100%. These days, at least if you're working out of a cloud provider, there's no excuse for exposing SSH to the world on any port. AWS/GCP/Azure all have different tools to allow you to run bastion-type services without internet-facing SSH.
