Fail2ban helps you to protect yourself from brute force attacks coming from a single IP-address by monitoring the log files on your server. Fail2ban can be used - for example - to prevent logging in after a set amount of failed login attempts.
The problem with Fail2ban is that it does not support IPv6 addresses and does not protect well against distributed brute force attacks.
Debian / Ubuntu
aptitude install fail2ban
apt-get install fail2ban
Red Hat / CentOS / Fedora
Download installation package
Install with the command
yum install fail2ban
ignoreip = IP-addresses which bypass the filters
bantime = Determines how long an address is kept on the ban list, default is 600 seconds
findtime = Blocks an IP-address if it has failed to login three times consecutively within the set time, findtime
maxretry = How many attempts an address is allowed until it is blocked
# "ignoreip" can be an IP address, a CIDR mask or a DNS host ignoreip = 127.0.0.1 192.168.1.1 bantime = 600 maxretry = 3 # "backend" specifies the backend used to get files modification. Available # options are "gamin", "polling" and "auto
This configuration excludes the IP-addresses 192.168.1.1 and 22.214.171.124 (=localhost) from the ban list. Maximum 3 login attempts allowed until address is placed on a 600 second ban list.
And the SSH configuration:
[ssh] # fail2ban-ssh = filter name enabled = true # is filter in use? options are true and false port = ssh # port which can be used for ssh for example port 22 filter = sshd # type of filter. filters can be found from the /etc/fail2ban/filter.d/ directory logpath = /var/log/auth.log # location of logs maxretry = 6 # how many attempts are allowed
[apache] enabled = true port = http,https filter = apache-auth logpath = /var/log/apache*/*error.log maxretry = 6
# default action is now multiport, so apache-multiport jail was left # for compatibility with previous (<0.7.6-2) releases [apache-multiport] enabled = true port = http,https filter = apache-auth logpath = /var/log/apache*/*error.log maxretry = 6
[apache-noscript] enabled = true port = http,https filter = apache-noscript logpath = /var/log/apache*/*error.log maxretry = 6
[apache-overflows] enabled = true port = http,https filter = apache-overflows logpath = /var/log/apache*/*error.log maxretry = 2
enabled = true port = ssh filter = sshd logpath = /var/log/auth.log maxretry = 6
By default SSH allows 6 attempts when trying to form a connection, we recommend limiting it to 3 attempts.
port = ssh must be changed if you have changed the SSH default port in the /etc/ssh/sshd.config file.
enabled = true port = ftp,ftp-data,ftps,ftps-data filter = proftpd logpath = /var/log/proftpd/proftpd.log maxretry = 3
[postfix] enabled = true port = smtp,ssmtp filter = postfix logpath = /var/log/mail.log
[sasl] enabled = true port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s filter = sasl # You might consider monitoring /var/log/mail.warn instead if you are # running postfix since it would provide the same log lines at the # "warn" level but overall at the smaller filesize. logpath = /var/log/mail.log
[dovecot] enabled = true port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s filter = dovecot logpath = /var/log/mail.log
Fail2ban checks the ban list from the fail2ban log, which can be found under the path /var/log/fail2ban.log
In this file you can see all the logs and attempts made trying to connect to your server.
2014-05-13 15:52:30,388 fail2ban.actions: WARNING [sendmail] Ban XXX.66.82.116 2014-05-13 15:59:29,295 fail2ban.actions: WARNING [sendmail] Ban XXX.27.118.100 2014-05-13 16:07:31,183 fail2ban.actions: WARNING [sendmail] Unban XXX.66.82.116 2014-05-13 16:14:29,530 fail2ban.actions: WARNING [sendmail] Unban XXX.27.118.100 2014-05-13 16:56:27,086 fail2ban.actions: WARNING [ssh] Ban XXX.136.60.164 2014-05-13 17:11:27,833 fail2ban.actions: WARNING [ssh] Unban XXX.136.60.164