[ckoepp]

I agree even though I'm not sure the problem is on the "using passwords" side. There are more fundamental problems with fail2ban & Co.

Using regular expressions on logs and triggering such massive actions like IP-based bans isn't a wise thing to do. Logs are not the trivial lines of text they were 10 years before. In reality you'd have to deal with chaotic stuff often even including user-entered data - this is why there are so many classical Big-Data programs and algorithms are joining the party here. It's very hard to write solid regular expressions on those without overseeing a tiny DoS possibility because of injection. There are numerous examples in the CVE database for exactly this when you look at fail2ban and other programs using the same scheme...

If you really need to keep your logs clean and there is no way in detecting "unusual behaviour" by filtering out all those background noise you see on SSH usually, why not use iptables with it's extensions instead? You can easily count the attempts to connect to defined ports and block any IP address reaching a threshold for a limited amount of time. This is a way more solid implementation of the same thing as IP packages are well-defined structures and there is simply no way in injecting something in the IP source field of them.

About the hardware consumption by SSH login attempts: you guys aren't honestly arguing that a cronjob-like grep of log-files and performing regular expressions on hundreds of lines is a way better to do the same, right? This is actually highly inefficient too...

For me, even plain iptables filtering isn't a nice thing. I use port-knocking to get access to my SSH services. Every server has it's unique sequence of packages to tell it to open access to SSH for a IP transmitting the right packages with the right flags and payload in the correct ordering.

I'm not saying "get rid of fail2ban", but people should know what they are doing and what problems come with those programs. The convenience has it's price...