Are you still banning, or do you already penalize?
Still using fail2ban just for stopping SSH brute force attempts? Since OpenSSH 9.8 there is a new config option for sshd_config: PerSourcePenalties This option has several parameters where you can define how long a client, based on its IP address, will be blocked, according to the unwanted behaviour. The most important parameters are:
- min:duration – the minimum penalty which must be accumulated before it is enforced, default 15 seconds (15s).
- max:duration – the maximum penalty which can be accumulated, default 10 minutes (10m).
- crash:duration – penalty that cause a crash of sshd, default 90s.
- authfail:duration – penalty for disconnecting clients after making one or more unsuccessful authentication attempts, default 15s. Consider also MaxAuthTries, which defaults to 6. So in an default setup an IP would be banned for 15 seconds if someone typed the wrong password for 6 times.
- invaliduser:duration – penalty for authentication attempts with an invalid user, default 5s (available since OpenSSH 10.3)
- noauth:duration – penalty for disconnecting without attempting authentication , default 1s. Don't change this if you're running monitoring checks against sshd.
- grace-exceeded:duration – penalty for not logging in after LoginGraceTime (default: 120s), default 10s.
There is also PerSourcePenaltyExemptList, which is a comma-separated list of addresses to exempt from penalties.
As you can see the default values are quite lax. Let's tighten the rules a bit:
- A client should be refused connection for 1 hour after 3 unsuccessful auth attempts (using also MaxAuthTries) and crash attempts.
- Since penalties do accumulate and the default max duration is 10 minutes we must define a new maximum penalty.
- As for invalid user attempts I set the penalty to 5 minutes, since typos can happen (if OpenSSH >= 10.3)
- I don't touch the noauth parameter, since monitoring tools and tools like ssh-keyscan could be blocked.
The resulting sshd_config snippet looks like this (for OpenSSH 10.3 and newer)
MaxAuthTries 3
PerSourcePenalties crash:3600s invaliduser:300s authfail:3600s max:86400s
Since OpenSSH 10.3 is quite new (released on 2026-04-02), most Linux users would want to omit the invaliduser parameter:
MaxAuthTries 3
PerSourcePenalties crash:3600s authfail:3600s max:86400s
This makes tools like fail2ban quite obsolete, if it is used in an default setup just for blocking SSH brute force attempts. Of course, if you're using them in more complex scenarios and not only for SSH, these tools are still useful.