coilyco-flight-deck/infrastructure
1
0
Fork 0
Code Issues 101 Pull requests Projects Releases Packages Wiki Activity Actions 1

sshd: enable fail2ban with default ssh jail (quick win, no exposure change) #104

New issue
Open
opened 2026-05-24 18:27:07 +00:00 by coilysiren · 0 comments
coilysiren commented 2026-05-24 18:27:07 +00:00
Owner
Copy link

Problem

fail2ban and sshguard are both inactive on kai-server while sshd is listening on 0.0.0.0:22 and auth.log is taking active brute-force scans (2.57.122.177, 89.134.210.182, 213.35.128.24, 161.35.139.3, etc., observed live during today's mobile-SSH debug). Nothing is throttling repeated failed-auth attempts.

Proposed change

Lowest-risk immediate hardening that doesn't depend on resolving the broader exposure question:

sudo apt install fail2ban
sudo systemctl enable --now fail2ban

Default jail config ships with the sshd jail enabled and tuned for Ubuntu's auth.log format. No sshd binding changes, no firewall topology changes - just bans IPs after N failed-auth attempts.

Verify after:

sudo fail2ban-client status
sudo fail2ban-client status sshd

Why split this off from the bigger audit

The parent issue, infrastructure#103, needs decisions about router port-forwards and the tangled-knot git-SSH path before changing exposure. That's a real audit. fail2ban can ship in 5 minutes regardless of those decisions and immediately cuts bot scan effectiveness.

Parent

Filed by Claude.

**Problem** `fail2ban` and `sshguard` are both `inactive` on kai-server while sshd is listening on `0.0.0.0:22` and `auth.log` is taking active brute-force scans (`2.57.122.177`, `89.134.210.182`, `213.35.128.24`, `161.35.139.3`, etc., observed live during today's mobile-SSH debug). Nothing is throttling repeated failed-auth attempts. **Proposed change** Lowest-risk immediate hardening that doesn't depend on resolving the broader exposure question: ``` sudo apt install fail2ban sudo systemctl enable --now fail2ban ``` Default jail config ships with the `sshd` jail enabled and tuned for Ubuntu's auth.log format. No sshd binding changes, no firewall topology changes - just bans IPs after N failed-auth attempts. Verify after: ``` sudo fail2ban-client status sudo fail2ban-client status sshd ``` **Why split this off from the bigger audit** The parent issue, [infrastructure#103](https://forgejo.coilysiren.me/coilysiren/infrastructure/issues/103), needs decisions about router port-forwards and the tangled-knot git-SSH path before changing exposure. That's a real audit. fail2ban can ship in 5 minutes regardless of those decisions and immediately cuts bot scan effectiveness. **Parent** - [infrastructure#103](https://forgejo.coilysiren.me/coilysiren/infrastructure/issues/103) - umbrella security pass on sshd public exposure. **Filed by Claude.**
coilysiren added
P2
 and removed
P1
 labels 2026-05-31 07:00:42 +00:00
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
dispatch/issue-294
tangled-knot
dispatch/issue-216
No results found.
Labels
Clear labels
  
P0
now / blocking / urgent

  
P1
next / important

  
P2
backlog / will do

  
P3
someday / low

  
P4
icebox / frozen / reopen if it becomes real

No labels
P0
P1
P2
P3
P4
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
coilyco-flight-deck/infrastructure#104
No description provided.