Sshguard instead of fail2ban

I am aware that fail2ban is not recommended for use with sympl. Sadly, I have no idea why not, so it is hard to look for an alternative that will play nicely.

Is sshguard any use?

Sympl has some fail2ban like features built-in, although they’re not well documented at the moment (which was inherited from Symbiosis).

The incompatibility with fail2ban is that Sympl will re-write the firewall periodically, which will remove the fail2ban rules.

I look at the logs and see literally thousands of attempts, often many, many from the same host.
It would be nice to stop this. OK, they are not getting in. But it’s still an irritation

Is sshguard any use?

I looked at SSHguard and it’s OK but seems mainly focused on SSH. I haven’t bothered with it because I don’t need much protection on SSH. Instead I firewall my server so SSH is only allowed from 4 addresses, and I have static IP addresses on anything I connect from (mostly home, but also an Android tablet with a static IP SIM card, which is a really useful thing to have.) As a backstop, I also have it configured for public key only, no password auth allowed.

I look at the logs and see literally thousands of attempts

Can you work with public key auth only on SSH? I think that might reduce the noise in the log files.

I do get lots of attack attempts on exim4 and dovecot, and use my own nftables configuration which Sympl doesn’t touch, so the incompatibility of fail2ban with Sympl would not be a problem for me. Unfortunately I never got fail2ban working properly since upgrading to Debian 12.