Linux: Fail2ban

Fed up with repetitive login failures and DoS attempts from all around the world? Check this out to get to know how to defend.

First of all, consider allowing only allowed IPv4/IPv6 sources. Dynamic inspection of malicious attempts is not a CPU friendly operation nor the malicious attempts themselves. If not desired or if not applicable, the Fail2ban seems to be a suitable way to solve that pain in the ass.

Install Fail2ban by

emerge -av net-analyzer/fail2ban

Edit the /etc/fail2ban/jail.conf config file

[DEFAULT]
ignoreip = 127.0.0.1,192.168.100.24 # Management network
bantime = 86400 # 1 day (in seconds)
findtime = 300 # 5 minutes (in seconds)
maxretry = 3 # default repeat count

# Jail entry for SSH, using iptables for firewall
[ssh-iptables]
enabled = true  # Note that it is by default disabled
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
logpath = /var/log/auth.log
maxretry = 3 # Override the default of 3

And start the daemon:

rc-service fail2ban start
rc-update add fail2ban default

The are several options how to interact with the daemon:

fail2ban-client status

Detail about malicious IP addresses.

fail2ban-client status ssh-iptables

Source

Advertisements
This entry was posted in Linux, Security, Server and tagged , , , . Bookmark the permalink.