Fail2ban

Fail2Ban is a simple service you can install to monitor your auth.log file and temporarily ban IP’s who are trying to log in to your systems.

It works with an number of protocols, but out of the box it comes pre configured to monitor and secure SSH.  You can install is on debian linux with:

$ apt-get install fail2ban

Once installed it will work as-is, but there are two specific things worth configuring.  It’s great to have an email alert when an attempt is made, so we need to configure the default action.  There are three options:

action_
[Default] Just go ahead and ban the IP
action_mw
Ban the ip, but also send an email and whois report
 action_mwl
Ban the IP, send email with whois report and also the auth.log lines containing the rouge IP

 

This needs to be set in /etc/fail2ban/jail.conf.  The default is (line 102):

action = %(action_)s

and finally we need to configure the email address we will send to.  This is on line 57:

destemail = admin@example.com

restart the service:

$ service fail2ban restart

And we’re done!  By default IP’s are banned through IPTables for a period of 10 minutes.