I’ve been using fail2ban for a while on a Linux system with a couple of ports open to the outside world. Naturally, this results in more than a few login attempts by unknowns during any given day. Fail2ban is a simple python based IP blocking application for POSIX systems. It works by continuously searching various system logs for failed login attempts, and blocking IP addresses temporarily with iptables.
Since we run a Debian-heavy enironment, this will only address installation on just that.
Start by installing fail2ban (as root):
apt-get install fail2ban
Modify /etc/fail2ban/jail.conf to suit your needs. The JAILS-section is used to defined the different parameters you’d like for your various open doors.
An example jail for SSH:
[ssh] enabled = true port = ssh filter = sshd logpath = /var/log/auth.log maxretry = 6
And for mail systems using for example postfix and dovecot:
[postfix] enabled = true port = smtp,ssmtp filter = postfix logpath = /var/log/mail.log [dovecot-pop3imap] enabled = true port = pop3,pop3s,imap,imaps filter = dovecot-pop3imap logpath = /var/log/mail.log
As you can see, the configuration is fairly straight forward. Tell fail2ban where your logs are, what ports to monitor, max number of retries unless you want the default.