Setting up Fail2Ban

Linux  Debian 

Sources: [1][], [2][] [1]: http://www.unixmen.com/how-to-prevent-ssh-brute-force-attacks-with-fail2ban-on-debian-7/?utm_source=rss&utm_medium=rss&utm_campaign=how-to-prevent-ssh-brute-force-attacks-with-fail2ban-on-debian-7 [2]: http://blogs.buanzo.com.ar/2009/01/fail2ban-rules-for-lighttpd-fastcgi-alerts.html

Login as root user and enter the following command to install Fail2Ban.

apt-get install fail2ban

All configuration files are found in the /etc/fail2ban directory. The main configuration file is /etc/fail2ban/jail.conf. It’s a good idea to make a backup of the main config file to avoid merges during upgrades. Edit local copy of the /etc/fail2ban/jail.conf file as shown below.

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Open up /etc/fail2ban/jail.local file in any editor. You will find a section called [Default]. This section contains the basic set of rules that Fail2ban will follow. Set the values as per your requirement.

[DEFAULT]

# "ignoreip" can be an IP address, a CIDR mask or a DNS host
ignoreip = 127.0.0.1 192.168.100.1/24
bantime = 900
maxretry = 3

# "backend" specifies the backend used to get files modification. Available
# options are "gamin", "polling" and "auto".
# yoh: For some reason Debian shipped python-gamin didn't work as expected
# This issue left ToDo, so polling is default backend for now
backend = auto

#
# Destination email address used solely for the interpolations in
# jail.{conf,local} configuration files.
destemail = root@localhost

By default, Fail2Ban contains a set of pre-defined filters for various services. So you don’t need to enter any manual entries in the configuration files. All you need to do is just change the values of enabled to true or false, the respective services are automatically watched by Fail2Ban. Here is the SSH section in the jail.local file:

[ssh]

enabled  = true
port     = ssh
filter   = sshd
logpath  = /var/log/auth.log
maxretry = 3

And the SSH-DDoS section in the jail.local file:

[ssh-ddos]

enabled = true
port    = ssh
filter  = sshd-ddos
logpath  = /var/log/auth.log
maxretry = 6

And the Lighttpd-FastCGI section in the jail.local file:

[lighttpd-fastcgi]

enabled = true
port    = http,https
filter  = lighttpd-fastcgi
logpath = /var/log/lighttpd/error.log
maxretry = 2

Once you have changed the configuration, restart Fail2Ban service to save the changes:

/etc/init.d/fail2ban restart

You can verify the rules that added by Fail2Ban in iptables using the following command:

root@server:~# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
fail2ban-ssh  tcp  --  anywhere             anywhere             multiport dports ssh
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain fail2ban-ssh (1 references)
target     prot opt source               destination         

RETURN     all  --  anywhere             anywhere