SSH is the #1 attack vector for Linux servers. Defensia monitors auth.log in real time and blocks attackers within seconds — before they find a working password.
Block SSH attacks now →Mar 13 03:14:01 srv sshd[4821]: Failed password for root from 185.220.101.7 port 43992 ssh2
Mar 13 03:14:02 srv sshd[4821]: Failed password for root from 185.220.101.7 port 43993 ssh2
Mar 13 03:14:03 srv sshd[4822]: Invalid user admin from 185.220.101.7
Mar 13 03:14:04 srv sshd[4823]: Invalid user ubuntu from 185.220.101.7
Mar 13 03:14:05 srv sshd[4824]: Failed password for postgres from 185.220.101.7
→ Defensia: 185.220.101.7 scored +25 pts → ban triggered (82 pts total)
→ ipset add defensia-bans 185.220.101.7 — blocked in 12ms
Each pattern can be enabled/disabled per server from the dashboard — no agent restart required.
Defensia understands SSH log semantics. It distinguishes between a real user's failed attempt and a botnet scanning with credential lists.
fail2ban with iptables caps at ~500 rules. Defensia uses ipset for 65,000+ concurrent bans, then falls back to iptables with FIFO rotation.
When one server bans an IP, all your other servers get the ban instantly via WebSocket. The attacker can't just move to the next target.
Defensia never bans 127.x, 10.x, 192.168.x, your own server's public IP, or the Defensia API endpoint — even if the backend somehow sends a bad rule. Docker bridge IPs (172.x) are also excluded.
Install Defensia with one command: curl -fsSL https://defensia.cloud/install.sh | sudo bash. It detects 15 SSH attack patterns automatically and blocks attackers within seconds via ipset. No configuration needed. Alternatively, you can use fail2ban with manual regex config per service.
Based on Defensia telemetry across 9 production servers, the average server receives 4,200+ attacks per day. A new VPS receives its first SSH brute force attempt within 22 minutes of going online.
Yes. Defensia covers all fail2ban SSH detection patterns plus adds web attack detection (WAF), CVE scanning, malware scanning, a real-time dashboard, and multi-server management. Most users remove fail2ban after installing Defensia.
Yes. Add trusted IPs to the whitelist from the Defensia dashboard. Whitelisted IPs are still detected and logged (so you see the events), but they are never banned. This is useful for office IPs, VPN endpoints, and monitoring services.
15 patterns: failed password, invalid user, pre-auth disconnect, PAM authentication failure, kex negotiation failure, max authentication attempts exceeded, connection closed by authenticating user, reverse mapping check failure, bad protocol version, and more.
Free plan includes full SSH protection. Install in one command.
Free plan. No credit card required.