Fail2ban Quick Guide
Fail2ban is an excellent tool to protect your webserver from brute force attacks - and it’s a definite must if you allow password authentication through ssh. It’ll monitor various log files on your system, the use your firewall to “jail” or temporarily ban an IP.
It’s also beneficial to stop distributed brute force attacks that may bog down your lightweight VPS. Installation and configuration is fairly straight forward.
Installation on CentOS
root@centos:~# rpm -Uvh \ http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm root@centos:~# yum install fail2ban
root@ubuntu:~# apt-get install fail2ban
Once installed, make a copy of the config file and edit.
root@centos:~# cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local root@centos:~# nano /etc/fail2ban/jail.local
The config file is mostly self-explanatory. Make sure to go over the entire config file, but I’ll explain the important bits below.
ignoreip = 127.0.0.1 #Acts as a whitelist - you may also add any trusted IPs here. bantime = 4000 #how many seconds will the IP be banned for. maxretry = 4 #how many tries will IP get before being banned.
Lastly, to protect against any ssh brute force attempts the [ssh] section can be edited. The default config works out of the box, but check it over, especially if your ssh log file directory is non-default.
Restart after editing the config file.
root@centos:~# service fail2ban restart
You can check the fail2ban log and your iptables for banned ip’s…
root@centos:~# sudo zgrep 'Ban:' /var/log/fail2ban.log* root@centos:~# iptables -L INPUT -v -n
Keep in mind fail2ban temporarily bans ip’s, so you may see conflicting results when looking in the ssh log, iptables fail2ban log, etc.