sometimes, after receiving netdata.cloud warnings about high CPU load of a server, i find that there are many login attempts via SSH – even though password authentication via SSH is disabled. that’s so-called brute-force attacks, trying common user names with many different passwords, hoping one will succeed.
sometimes these attacks continue for a long time, stopping only after blocking the IP with a firewall rule. this can be automated with the python script fail2ban that’s part of almost all debian-based distributions. fail2ban monitors various system logs and, when detecting repeated failed login attempts, inserts a firewall rule to block the IP address, temporarily.
i’m going to install this on our AWS servers now because those are frequently attacked in this way.