source: Paul’s blog
Up until now i have been manually blocking ip’s that attack my server but by the time i see them the attacks have normally finished but after the last big attack on my email server (some 35,000 attempts) i decided to find a way to automate the blocking. After a bit of research i decided to setup Fail2ban and here’s how i did it.
As i use a 3rd party repostories – EPEL (how to add repositories) i can just use yum to install it
yum install fail2ban
once installed i just needed to change the configuration to my liking, the config files can be found at « /etc/fail2ban »
first i edit « /etc/fail2ban/fail2ban.conf » and ensure the « logtarget » is set correctly
logtarget = /var/log/fail2ban.log
The default behaviour of fail2ban is configured in the file « /etc/fail2ban/jail.conf ». There’s a [DEFAULT] section that applies to all other sections unless the default options are overridden in the other sections.
I explain some of the configuration here:
ignoreip: This is a space-separated list of IP addresses that cannot be blocked by fail2ban.
bantime: Time in seconds that a host is blocked if it was caught by fail2ban (600 seconds = 10 minutes).
maxretry: Max. number of failed login attempts before a host is blocked by fail2ban.
filter: Refers to the appropriate filter file in « /etc/fail2ban/filter.d ».
logpath: The log file that fail2ban checks for failed login attempts.
so i edit « /etc/fail2ban/jail.conf » and add my ip to « ignoreip ».
then i just need to configure the jails i want to use, here’s my ssh jail
[ssh-iptables] enabled = true filter = sshd action = iptables-multiport[name=SSH, port="ssh, 4564"] sendmail-whois[name=SSH, dest=root, email@example.com] logpath = /var/log/secure maxretry = 3
Don’t forget to change the port to what ever port your ssh runs on and also set the « sender » and « dest » to your email.
I use a couple of other jails/filters which i’ll show you how i configured them but first i’ll show you how to start and check its running.
now check « /var/log/fail2ban.log » and make sure there’s no errors.
you can also check the rules are in iptables
now as i said i use a couple of custom filters here’s how i did them.
Create the filter file « /etc/fail2ban/filter.d/dovecot-pop3imap.conf » and add
[Definition] failregex = (?: dovecot: pop3-login|imap-login): (?:Authentication failure|Aborted login \(auth failed|Aborted login).*rip=(<HOST>),.* ignoreregex =
note: the failregex may need changing to suit your system.
now add the following to « /etc/fail2ban/jail.conf »
[dovecot-pop3imap] enabled = true filter = dovecot-pop3imap action = iptables-multiport[name=dovecot-pop3imap, port="110,143,995,993,25,465,587"] sendmail-whois[name=dovecot-pop3imap, dest=root, firstname.lastname@example.org] logpath = /var/log/maillog maxretry = 5 findtime = 600 bantime = 3600
then just restart fail2ban
you can create all sorts of custom jails/filters just google for other ideas.