[deathanatos]

fail2ban will cut down on log noise signficantly, while still allowing you to operate on the standard port. It also thwarts brute-force login attempts, if you're using password authentication. (Which you shouldn't, without good reason. Use public key authentication.)

[tyingq]

I like pam_shield a bit better than fail2ban. It's directly tied to pam, versus trolling logs, so the configuration and operation is cleaner.

[philg_jr]

https://github.com/jtniehof/pam_shield

Last commit June 2012? Does it work with modern distros?

[tyingq]

Yes. Using it now with Ubuntu 18.04. Available via apt-get.

[ryanlol]

Not sure if it’s sad or hilarious that people recommend fail2ban as a solution to log spam (or as a solution to anything really)

Do you really think making firewalling decisions based on unstructured attacker-controlled log data is a good idea?

[romeisendcoming]

You control what fail2ban does with said log data and what actually gets logged. There are better ways than fail2ban of course but it's not the worst solution on the planet.

[ryanlol]

If you're using regex to parse attacker controlled files I'm not entirely sure if you're in control.

Many unexpected things can happen, as a simple example SSH can generate log entries like this

  Jan 30 17:37:04 server sshd[26695]: Invalid user root from 127.0.0.1 from 10.0.0.1

The default rules can deal with this specific example, but this is certainly a path I wouldn't want to go down myself.