Installing And Using Fail2Ban
Fail2Ban is a firewall application that looks at your log files all the time, if it sees something in the logs that triggers a rule you set (called jails) such as X failed ssh login attempts, it will ban the offending ip for X seconds
Configure Fail2BanCopy the example configuration over
Open the configuration file for editing
Modify The Default SettingsIn the default section of the configuration file you will find the following entries. Make sure your ignoreip setting is set as below to make sure fail2ban bypasses any log file entries that come from the server itself.
The bantime and maxretry entries are generic settings for setting how long fail2ban will block the offending ip address and how many times an entry has to show up in a log file before a banning action is taken. These settings will be the default bantime and maxretry settings for all jails but can be overridden in each jail configuration.
Getting Email Notifications Of Banned IP'sYou need to have sendmail or another mail transfer agent installed in order for this function to work....installing and configuring that is out of the scope of this how to.
In the configuration file look for the line below and change the email address to your email address.
Then look for the following line
and change it to
This will send an email to you every time fail2ban bans an ipaddress. It will also include whois information for the ip address.
Jail ConfigurationJails are the rules which fail2ban uses to analyze logs and then take action on. Some of the sections below may be included in your configuration file. If they are feel free to modify them like below, if the following don't exist you can copy and paste the following to protect each given service. If you don't run the service there's no need to add the jail. Each jail section is pretty much the same:
Below are some jails that come with Fail2Ban by default and help protect them. Feel free to tweak them as your site needs/allows
Start Fail2Ban ServiceOnce done, restart fail2ban to put your settings into effect
Testing InstallationTo test fail2ban, look at iptable rules
Attempt to trigger a service that fail2ban is monitoring (from another machine as any local traffic fail2ban will not be analyzed)....such as log into ssh 3 times and put in a wrong password....then look at the iptable rules again to see if your ip address is blocked
Add Custom FiltersIf you wish to tweak or add log filters, you can add them in: /etc/fail2ban/filter.d
There are lots of third party scripts out there that you can get and add onto your installtion for things like oracle / postgres / sendmail / etc etc etc
Just remember to add them to your jail's as well and restart the fail2ban service in order to activate them