Minimize sshd log clutter/spam from unauthenticated connections

Carsten Andrich carsten.andrich at
Sun Mar 19 02:08:29 AEDT 2023

On 18.03.23 14:19, Philipp Marek wrote:
> I guess you might find fail2ban useful.
> It scans logfiles (like /var/log/sshd.log), and when it sees too many 
> authentication failures from an IP address (or network range) it can 
> issue commands to drop any further attempts via a firewall.
> By having it read its own logfile it's possible to have repeated 
> offenders be cut out for longer and longer time spans.

Thanks for the suggestion. I've looked into solutions like fail2ban in 
the past, but have decided for a simpler approach. On some Linux hosts I 
use the following nftables rules (commented and stripped for clarity):

table inet filter {
	# set of IP addresses that have successfully authenticated
	# filled via, e.g., the following /root/.ssh/rc (simple example without error handling):
	# `nft add element inet filter sshauth { ${SSH_CONNECTION%% *} timeout 4h }`
	set sshauth {
		type ipv4_addr
		flags timeout, dynamic

	# set of IP addresses (or rather /24 subnets, see below) that have
	# established new TCP connections to SSHD
	set sshlimit {
		type ipv4_addr
		flags timeout, dynamic

	chain input {
		type filter hook input priority 0; policy drop;

		# accept new connections from IP addresses that have authenticated before
		ip saddr @sshauth tcp dport 22 ct state new counter accept
		# accept new connections from all other addresses with significant rate
		# limit on /24 subnet
		ip protocol tcp tcp dport 22 ct state new add @sshlimit { ip saddr & timeout 1h limit rate 2/hour } counter accept

		# accept established connections and reject the rest (whatever exceeds
		# above rate limit)
		ct state { established, related } accept
		meta pkttype unicast ip protocol tcp counter reject with tcp reset

The result is similar to fail2ban in that it aggressively limits any 
repeat connections that do not authenticate successfully. Albeit with a 
significantly smaller attack surface and configuration effort. The trick 
to make it usable despite the 2/hour connection limit is to manually 
fill the set sshauth either via an .ssh/rc file (will only work for 
root) or by parsing the ssh log and adding IP addresses that 
authenticate successfully.

Best regards,

More information about the openssh-unix-dev mailing list