Block SSH brute forcers - penguinpowernz/scanban GitHub Wiki

This is how you would block SSH brute force attempts. You could copy/paste this into /etc/scanban.d/ssh.toml:

files = ["/var/log/auth.log"]

[rules](/penguinpowernz/scanban/wiki/rules)
patterns = [
  "sshd.*Invalid user \\w+ from",
  "sshd.*User \\w+ from .* not allowed because not listed in AllowUsers",
  "sshd.*Did not receive identification string from"
]
ip_regex = "from (\\d+.\\d+.\\d+.\\d+)"
threshold = 1