Fail2ban
Fail2ban is an intrusion prevention software framework which protects computer servers from brute-force attacks. Written in the Python programming language. It uses the iptables firewall to ban specific hosts if they meet a configured threshold of invalid attempts.
Fail2Ban does this by monitoring the log files of certain services. For example, Fail2Ban will monitor logs found at /var/log/auth.log and search for failed logins. If it detects a host has failed to login too many times, it will ban that host for a configurable time period.
When Fail2Ban bans a host, it will use the iptables firewall.
Installation
sudo apt-get install -y fail2ban
Fail2Ban’s configuration files are found in /etc/fail2ban. Default configuration file /etc/fail2ban/jail.conf.
Fail2ban automatically scans for jail.local file and load's it.
Configuration files added in /etc/fail2ban/jail.d can tweak or overwrite configuration found in /etc/fail2ban/jail.local.
In addition to
.local, for any.conffile there can be a corresponding.d/directory to contain additional.conffiles that will be read after the appropriate.localfile. Last parsed file will take precedence over identical entries, parsed alphabetically...
Configuration
Fail2ban uses the concept of filters, actions and jails.
Filters are the regular expressions you want to look for. Actions are the steps you want to take when you find something. Jails are what you create to tie together a log file, a filter and an action
Here are some items under the [DEFAULT] section from /etc/fail2ban/jail.conf.
ignoreiphas to be set to127.0.0.1/8, which will ignore local network connections.bantimedefaults to 600 seconds.findtimeis the amount of time wherein a threshold must be met in order to trigger a ban. Defaults to 600 seconds.maxretrydefaults to 3.
Actions
Fail2Ban sets up some pre-built actions to take when a ban is triggered. It's usually a simple ban of host or ban and email notification.
Jails
Each Jail specifies a service to be monitored. SSH is enabled by default.