Linux Server Security is the current field-guide cluster.Linux • Security • Self-hosting • Practical tools
Linux Server Hardening

CrowdSec vs Fail2Ban vs SSHGuard for SSH Protection

Fail2Ban, SSHGuard, and CrowdSec can all respond to abusive SSH login patterns, but they are not interchangeable. Fail2Ban is the familiar local log-and-ban tool, SSHGuard is a lighter daemon focused on log-driven blocking, and CrowdSec is a broader detection/remediation system with optional shared intelligence and bouncers.

For one small VPS, Fail2Ban is often enough. For multiple servers or a wider detection model, CrowdSec deserves a look. For a minimal SSH-focused setup, SSHGuard can be attractive if it is well packaged for your distro.

What problem are these tools solving?

They reduce repeated abusive login attempts by watching logs or events and applying a response. The usual response is a temporary block through the host firewall.

They do not replace SSH keys, MFA where available, least-privilege accounts, patching, or private access. If SSH should not be public, a mesh VPN or private access path is a bigger win than arguing about ban daemons.

Use these tools as noise and abuse reduction, not as the foundation of your access model.

Where Fail2Ban fits

Fail2Ban is the conservative default for many Linux admins because it is widely packaged, well understood, and easy to reason about on a single host.

Choose Fail2Ban when:

The downside is scope. Fail2Ban is local-first. It can be extended, but it does not give you a modern fleet-wide security product by default.

Where SSHGuard fits

SSHGuard is generally a simpler log-monitoring blocker. It can be a good fit when you want a small service focused on SSH and similar authentication logs without building a wider security stack.

Choose SSHGuard when:

The tradeoff is ecosystem and familiarity. Many tutorials and admin muscle-memory paths are written for Fail2Ban instead.

Where CrowdSec fits

CrowdSec separates detection from remediation. Its docs describe the Security Engine as detection, and note that blocking requires a remediation component such as a firewall bouncer. The firewall bouncer can work with iptables, nftables, ipset, and pf depending on platform and mode.

Choose CrowdSec when:

Do not install CrowdSec and assume it blocks everything by magic. The detection engine and remediation component are separate parts of the design.

Decision table

Situation Better first choice
One Ubuntu VPS with public SSH Fail2Ban
Minimal SSH-focused blocking SSHGuard
Several servers with central visibility needs CrowdSec
Web application protection CrowdSec with an appropriate web/WAF-capable bouncer, not just firewall blocking
Private admin access through Tailscale Maybe none for SSH exposure, because SSH is not public
Team that cannot explain firewall backend Start with simpler Fail2Ban or private access

The tool should match the operator. A complicated defensive stack nobody checks is not an upgrade.

What should come before any ban tool?

Start with the access model. If SSH is public, use key-based login, disable password login where appropriate, keep recovery access, and document who can log in. If SSH does not need to be public, move it behind a private path.

Then add a tool to reduce noise. Pair this decision guide with Fail2Ban for SSH, the Fail2Ban Ubuntu baseline, and why a nonstandard SSH port is not real security.

FAQ

Is CrowdSec better than Fail2Ban?

Not universally. CrowdSec is broader and more modular; Fail2Ban is simpler and familiar. For one small server, simplicity may win.

Do these tools stop all brute-force attacks?

No. They can reduce repeated attempts and block sources according to policy, but SSH configuration and access design still matter.

Can I run more than one?

Usually avoid stacking multiple tools that all modify firewall blocks unless you have a documented reason. Overlap makes troubleshooting harder.

Sources