Fail2Ban is an intrusion prevention framework written in the Python programming language. Fail2Ban could reduce a successful dictionary attack. Because we limit the number of tries to access to the specific service that we want to enable. In this example we are going to show with sshd service only. The standard configuration ships with filters for sshd, Apache, Lighttpd, vsftpd, qmail, Postfix and Courier Mail Server.
Installation On Ubuntu and derivatives
Log-in as root user and enter the following command to install Fail2ban.
apt-get install fail2ban
Copy a config file in /etc/fail2ban/ of file “jail.conf” to “jail.local”
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Edit file jail.local
# "ignoreip" can be an IP address, a CIDR mask or a DNS host ignoreip = 127.0.0.1/8 bantime = 3600 maxretry = 3
Find the line that says destmail and add your email address.
destemail = firstname.lastname@example.org
Chose default actions
action = %(action_)s
And change it to:
action = %(action_mw)s
Email Actions, In this case we use sendmail.
# email action. Since 0.8.1 upstream fail2ban uses sendmail # MTA for the mailing. Change mta configuration parameter to mail # if you want to revert to conventional 'mail'. mta = sendmail
Enable SSH with fail2ban
Find the ssh section in the same file, and adjust to your need:
[ssh] enabled = true port = ssh filter = sshd logpath = /var/log/auth.log maxretry = 3
Once done, Restart fail2ban to apply these settings.
service fail2ban restart
Let’s try to access via SSH to this server with the incorrect information for 3 times. We will get one email and can not ssh to that server for 1 hour with the user we tried.