One cp bruteforce

Ok guys if anyone can help

i have it all working now with ssl all good

i would like to know what methods are implemented to stop bf attacks of the control panel.

i have fail2ban which i would say to everyone install as last 2 days over 100 sshd ip jailed permanently

if been trying to get a jail config working for the cp but cant seem to get it to work.

if anyone know how to set up a jail for opennebula im using nginx

or is this something the cp login authentication of x509 certs is for to prevent bf attacks.

Just to be clear it will be only me accessing the panel and this setup is just for me not for customers its only for me to scale my apps websites and datate servers for my self for ease.

so would x509 auth ok to stop brute force to the cp and should i implement that instead of trying to work out a fail2ban jail i do need to access the panel from an external ip incase i have to administer anything when im away from the cluster so local access restriction is not an option

Ubuntu 16.04
nginx
fail2ban
opennebular 5.21

if that helps

Kind of answered my own questions.

Last 2 days done a massive info download on protecting with encryption
with ciphers, 4096 key files, HSTS, x509 etc etc,

got my nginx and and sites up to 100% a+ rating on ssllabs testing, obviously theses are not production sites yet as just educating, documenting all steps in setting up securely, pen-testing and closing any holes before i build my production from scratch.

So the answer to my own question for those who does not no the answer yes you can use x509 to prevent bruteforce in such away you can make the x509 key and implement in the vhosts that the page would not even load unless they had the key securely on there own system ready for verification.

with the added autologin feature of opennebular with x509 key and nginx page load restriction with out the key and tlsv1.2 page encryption you can safely say the onecp panel is fairly safe.

But as we all know one day it wont be as new exploits are found but if you keep up with these new exploits via a new exploit notification website or so and patch them right away you can be pretty sure you will will not be 100% safe but 99% sure you server will withstand an attack or at least stop it before it cause some serious damage.