During an on-call shift you are alerted that a public-facing CentOS 9 server becomes sluggish every evening around 21:00 UTC. CPU consumption is low, but top shows frequent wake-ups by rsyslogd and systemd-journald, and the 5-minute load average is greater than 10. Running journalctl -u sshd --since "5 minutes ago" reveals thousands of repeating lines such as: sshd: Failed password for invalid user admin from 198.51.100.42 port 58234 ssh2 Engineers worldwide must still be able to open interactive SSH sessions. Which single remediation will most quickly reduce the performance impact of these repeated failed log-in attempts while keeping legitimate SSH access available?
Add UseDNS no to sshd's configuration and restart the service so reverse DNS lookups are skipped during handshakes.
Raise RateLimitBurst= in /etc/systemd/journald.conf to 20000, then restart systemd-journald to accept larger bursts of log entries.
Install and enable the default sshd jail in Fail2ban, adjusting maxretry and bantime to block sources after only a few failed attempts.
Set LogLevel QUIET in /etc/ssh/sshd_config and reload the SSH daemon to suppress authentication-failure messages.
Fail2ban actively monitors log files for authentication failures. When an IP address exceeds the configured maxretry threshold within the findtime window, Fail2ban inserts a temporary firewall rule (whose duration is set with bantime) that drops any further packets from that address. After only a few failures each attacking bot is blocked, so the number of new SSH handshakes and the volume of log messages both fall sharply, relieving systemd-journald and rsyslogd and returning the load average to normal. Merely silencing the logs with LogLevel QUIET (or enlarging the journal rate limit) hides the messages but does nothing to stop the flood of inbound connection attempts and therefore still leaves sshd busy. Disabling reverse DNS lookups (UseDNS no) can shave milliseconds off each handshake but again will not stem thousands of authentication attempts. Enabling and tuning the default sshd jail in Fail2ban is therefore the fastest and most effective fix.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Fail2ban, and how does it work?
Open an interactive chat with Bash
How do `maxretry`, `bantime`, and `findtime` settings in Fail2ban influence its behavior?
Open an interactive chat with Bash
What is the difference between Fail2ban and changing SSH configuration options like `UseDNS no`?
Open an interactive chat with Bash
CompTIA Linux+ XK0-006 (V8)
Troubleshooting
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
IT & Cybersecurity Package Join Premium for Full Access