Too many failures, and it will update your firewall to drop all traffic from the offending IP address. Pretty handy, and enough to stop the casual hacker with a dictionary attack.
Fail2ban is very flexible and can be configured to work with any service that writes to a logfile, but here’s the basics to get you up and protected in a few minutes.
1. Get the files
cd to /tmp for a nice place for them to land, then
2. Extract them
tar -xf fail2ban-0.8.4.tar.bz2
3. Head to the new directory and install
then (you need to have python installed)…
python setup.py install
All installed ok?
4. Get it starting up automatically
cp files/redhat-initd /etc/init.d/fail2ban
chkconfig --add fail2ban
chkconfig fail2ban on
You’ll need to turn some stuff on, and fiddle with settings to your liking in:
If you’re enabling SSH-iptables, then the path for SSH monitoring needs to be changed to /var/log/secure
You can determine the services being monitored, number of retries a user is allowed, as well as the ban time in this settings file.
Once you’re configured, start the service with:
service fail2ban start
You can test the rules per service using:
fail2ban-regex /var/log/secure /etc/fail2ban/filter.d/sshd.conf
The defaults should work correctly for SSH but if they don't, check out this article for more options.
NOTE: fail2Ban 0.8.4 doesn't ban VSFTPD failures
Once I realized that fail2ban was configured to ignore failed logins from my LAN IP's, I did manage to get banned. The following settings worked for me:
[vsftpd-iptables] enabled = true filter = vsftpd action = iptables[name=VSFTPD, port=ftp, protocol=tcp] sendmail-whois[name=VSFTPD, dest=root@localhost, firstname.lastname@example.org] logpath = /var/log/vsftpd.log maxretry = 3 bantime = 1800
I left default settings for IP tables and for /etc/fail2ban/filter.d/vsftpd.conf