Hi All, posted this a little while ago but it went missing from the forum, bit strange. I have noticed recently that I have been receiving a lot of SSH bruteforce attacks on my SSH landing server, as a precaution I have enabled google 2 step verification and also installed fail2ban which blocks permanently the IP addresses of the what can only be bots. I have a couple of questions.
Firstly, I have found this website where they publish bruteforce attempt IP addresses from the last 90 days into a text file, I want to use this file to add to a iptables deny rule(s). Do I need to run a cronjob script to import these into the deny list or can I get IP tables to check the IP addresses from the file that has been downloaded (wget via cronjob)?

No it didn't. You didn't post it at LQ. One hundred per cent sure. Maybe you posted elsewhere.


Best way would be a daily cron job. (And try ipset instead of gazillions of iptables rules or even worse: /etc/hosts.deny.)

*I'll split your CyberARK question (completely different question) off to a separate thread: CyberARK (password vault) Open Source alternative?

If they are attempting to break in by shoving passwords down your throat, there is your real problem: you have an open avenue shell access to your computer, with only a password standing in the way.

You should be using digital certificates, each one encrypted with a passphrase. You should specifically prohibit the use of password authentication. (Remember that SSH will, quite inexplicably, accept the least powerful identification-mechanism that it has been told that it's permitted to use, so you must block all options except certificates.)

Yes, when you shell into that computer, you won't be asked for a password ... because you're wearing your badge. Only this arrangement can be called "truly secure."