Fail2ban is a log parsing application that monitors system logs for symptoms of an automated attack on your server. If you pay attention to application logs for these services, you will often see repeated, systematic login attempts that represent brute force attacks by users and bots alike. Use this to block failed login attempts.
Fail2ban will add a new rule to iptables, thus blocking the IP address of the attacker, either for a set amount of time or permanently. Fail2ban will also alert you through email that an attack is occurring.
The fail2ban package is available under Debian/unstable and also as a download for other Linux systems.
Installing Fail2ban on CentOS 7
Ensure your system is up to date and install the EPEL repository:
# yum update && yum install epel-release
# yum install fail2ban
This will be installed fail2ban and will be running as a daemon. However, you might want to edit the configuration file and stop/start the daemon to get it running how you want. The configuration file can be found at /etc/fail2ban.conf.
Install Sendmail if you are looking email support to send alerts.
# yum install sendmail
Start and enable Fail2ban
# systemctl start fail2ban # systemctl enable fail2ban
# systemctl start sendmail # systemctl enable sendmail
Installing Fail2ban on Debian / Ubuntu
Make sure all are up to date.
# apt-get update && apt-get upgrade -y
# apt-get install fail2ban
The service will automatically start.
fail2ban will monitor the auth.log file for failed access attempts. As soon as the daemon is running your ssh port (22) will be protected from brute-force attacks – preventing more than a small number of attempts at one time.
Actions taken by the daemon are logged by default in /var/log/fail2ban.log
Most entries don’t need to be changed but there are a few that you might want to edit. The DEFAULT settings apply to all sections:
[DEFAULT] maxfailures = 3 bantime = 900 findtime = 600
Needs to be set to true if you want to receive emails.
[MAIL] enabled = true to = [email protected]
If you want to monitor apache logs,
[Apache] enabled = false
fail2ban will monitor the auth.log file for failed access attempts.
[SSH] enabled = true logfile = /var/log/auth.log
To customize the configuration file, check the fail2ban documentation.