Modifying the Default SSH Port and Configuring Fail2Ban Jail Rules

Security through obscurity is not a complete solution, but moving your SSH port significantly reduces the volume of automated bot traffic hitting your server. When combined with Fail2Ban—an intrusion prevention framework that scans log files and bans IPs showing malicious signs—you create a proactive defense layer for your Hovixa VPS.

1. Changing the Default SSH Port

The default SSH port (22) is the primary target for global scanning scripts. Shifting to a non-standard "high port" (between 1024 and 65535) forces attackers to perform a full port scan to find your entry point.

⚠️ CRITICAL: Firewall First

Before changing your SSH port, you must allow the new port through your firewall (UFW or Firewalld). If you fail to do this, you will be locked out of your server immediately after restarting the SSH service.

# For UFW (Ubuntu/Debian)
sudo ufw allow 2284/tcp
sudo ufw reload
    

Implementation:

1. Open the configuration file: sudo nano /etc/ssh/sshd_config
2. Find the line #Port 22. Remove the # and change the number:

   Port 2284

3. Save and exit (Ctrl+O, Ctrl+X).
4. Restart the daemon: sudo systemctl restart ssh

To connect now, use: ssh -p 2284 user@vps_ip

2. Installing and Configuring Fail2Ban

Fail2Ban operates by monitoring logs (like /var/log/auth.log) for multiple failed login attempts. Once a threshold is met, it updates your firewall rules to reject that IP address for a specified duration.

sudo apt update && sudo apt install fail2ban -y
    

3. Creating a Custom Jail for SSH

Never edit the default jail.conf as it can be overwritten during updates. Instead, create a jail.local file to define your custom rules.

sudo nano /etc/fail2ban/jail.local
    

Add the following configuration:

[sshd]
enabled = true
port    = 2284
logpath = %(sshd_log)s
backend = %(sshd_backend)s
maxretry = 3
bantime  = 1h
findtime = 10m
    

• maxretry: Number of failures before the IP is banned.
• bantime: Duration of the ban (1h = 1 hour).
• findtime: The window of time in which the failures must occur.

4. Managing the Fail2Ban Service

5. Technical Implementation Details

• Persistent Bans: By default, bans are cleared if the server reboots. To make bans permanent after repeated offenses, you can configure the recidive jail in Fail2Ban.
• IgnoreIP: Always add your own static IP to the ignoreip line in jail.local to prevent accidentally banning yourself while testing or due to a typo.
• Log Rotation: Fail2Ban relies on reading the end of log files. Ensure your system's logrotate is functioning so that auth.log doesn't grow large enough to cause CPU spikes during analysis.

Sysadmin Advice: Use fail2ban-client status sshd weekly to see how many bots were blocked. It is common to see hundreds of unique IPs banned per day even on a custom port; this validates the necessity of these rules.