Fail2ban
Introduction
Fail2Ban is an intrusion prevention framework written in the Python programming language. It works by reading SSH, ProFTP, Apache logs etc.. and uses iptables profiles to block brute-force attempts.
Installation
To install fail2ban, type the following in the terminal:
Quotesudo apt-get install fail2ban
Configuration
To configure fail2ban, make a 'local' copy the jail.conf file in /etc/fail2ban
Quotecd /etc/fail2ban
sudo cp jail.conf jail.local
Now edit the file:
Quotesudo nano jail.local
Set the IPs you want fail2ban to ignore, the ban time (in seconds) and maximum number of user attempts to your liking:
QuoteDisplay More
[DEFAULT]
# "ignoreip" can be an IP address, a CIDR mask or a DNS host
ignoreip = 127.0.0.1
bantime = 3600
maxretry = 3
Email Notification
Note: You will need sendmail or any other MTA to do this.
If you wish to be notified of bans by email, modify this line with your email address:
Quotedestemail = your_email@domain.com
Then find the line:
Quoteaction = %(action_)s
and change it to
Quoteaction = %(action_mw)s
Jail Configuration
Jails are the rules which fail2ban apply to a given application/log:
QuoteDisplay More
[ssh]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
To enable the other profiles, such as [ssh-ddos], make sure the first line beneath it reads:
Quoteenabled = true
Once done, restart fail2ban to put those settings into effect
Quotesudo /etc/init.d/fail2ban restart
Advanced: Filters
If you wish to tweak or add log filters, you can find them in
Quote/etc/fail2ban/filter.d
Testing
To test fail2ban, look at iptable rules:
Quoteiptables -L
Attempt to login to a service that fail2ban is monitoring (preferably from another machine) and look at the iptable rules again to see if that IP source gets added.
Remarks : To test fail2ban on Ubuntu 12.04 server edition a reboot is required. Restarting or reloading the service didn't work.
Credit to : ubuntu help community
Regards
Shata
