The best solution to counter brute force attacks would to maintaining a allowed list of static IPs + limiting ssh access to ssh key pairs. This was the plan until I wanted to use Github actions to remote into my server. I decided to counter the ssh brute force attacks with fail2ban.
---1 install package
dnf install fail2ban
---2 enable service and check status
systemctl enable fail2ban
systemctl start fail2ban
systemctl status fail2ban
---3 setup configuration file (/etc/fail2ban/jail.local)
----- Change values accordingly. action= is taken from the conf
----- action templates from (/etc/fail2ban/action.d/)
/etc/fail2ban # cat jail.local
[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/secure
maxretry = 3
# 3600 1 hour
findtime = 3600
#bantime = 3600
bantime = 604800
action = firewallcmd-rich-rules[blocktype=reject, protocol=tcp]
---4 restart fail2ban
systemctl restart fail2ban
systemctl status fail2ban
You could manually test ban/unban to see check if firewall rules have changed.
fail2ban-client set sshd banip IPADDRESS
fail2ban-client set sshd unbanip IPADDRESS
firewall-cmd --list-rich-rules