I run fail2ban on any internet-facing systems I'm responsible for. This article mad me curious, so I did a quick scan of my failed logins log (on my personal VPS). Results are pretty grim:
The fail2ban stuff gets even more grim when extended to SMTP
+1 for fail2ban! Works like a charm. I've added ip-set to it lately and this has helped to reduce load significantly.
Yeah. ip-set rules are great for ensuring across-boot persistence, too.
One of these days, I'll get around to integrating my deployment-configuration with a "phone home" hook that informs the configuration service, "when re-provisioning this host or provisioning new hosts, blacklist these IPs".
As much as I dislike "Security by obscurity", there's something to be said for having SSH listening on a non-standard port. My lastb output contains zero failed logins, and the last output shows only expected entries.
I do have various other mechanisms in place to secure SSH, I'm not relying on the non-standard port, but it certainly cuts down the crap.
Unfortunately, as a consultant, I initiate connections from a wide variety of locations. Some of those locations block "weird" ports. So, moving to non-default port is generally not an option for me.
We're a place where coders share, stay up-to-date and grow their careers.
We strive for transparency and don't collect excess data.