Fail2ban monitors log files like /var/log/auth.log and Webserver access logs and can temporarily or persistently bans failure-prone addresses by updating existing firewall rules.
Currently, by default, fail2ban supports ssh/apache/vsftpd but configuration can be easily extended for monitoring any other ASCII file.
Install and configure fail2ban:
apt-get install fail2ban
The configuration file of fail2ban can be found in “/etc/fail2ban/jail.conf”
The configuration file is splited in to sections. You can let the most entries unchanged. The DEFAULT settings apply to all sections:
1 2 3
ignoreip = 127.0.0.1 bantime = 600 maxretry = 3
The Ignore IPvalue can be extended with you management ips.
destemail = firstname.lastname@example.org
Change the default behavior of fail2ban, to receive mails.
1 2 3
#action = %(action_)s # Change to: action = %(action_mw)s
E-Mail of administrator who gets the banned information.
fail2ban will monitor the auth.log file for failed access attempts. As soon as the daemon is running your ssh port (22) will be protected from brute-force attacks – preventing more than a small number of attempts at one time.
Responsible for the SSH part is the default predefined section:
1 2 3 4 5 6
[ssh] enabled = true port = ssh filter = sshd logpath = /var/log/auth.log maxretry = 3
If someone gets banned this will be logged:
fail2ban.actions: WARNING [ssh] Ban 172.16.0.5
To test fail2ban you could use this start brute force attack and see how quick you will be banned