Tag Archives: IPS

Using fail2ban for temporary lock outs

I’ve been using fail2ban for a while on a Linux system with a couple of ports open to the outside world. Naturally, this results in more than a few login attempts by unknowns during any given day. Fail2ban is a simple python based IP blocking application for POSIX systems. It works by continuously searching various system logs for failed login attempts, and blocking IP addresses temporarily with iptables.

Since we run a Debian-heavy enironment, this will only address installation on just that.

Start by installing fail2ban (as root):

apt-get install fail2ban

Modify /etc/fail2ban/jail.conf to suit your needs. The JAILS-section is used to defined the different parameters you’d like for your various open doors.

An example jail for SSH:

[ssh]

enabled = true
port    = ssh
filter  = sshd
logpath  = /var/log/auth.log
maxretry = 6

And for mail systems using for example postfix and dovecot:


[postfix]

enabled  = true
port     = smtp,ssmtp
filter   = postfix
logpath  = /var/log/mail.log


[dovecot-pop3imap]

enabled = true
port = pop3,pop3s,imap,imaps
filter = dovecot-pop3imap
logpath = /var/log/mail.log

As you can see, the configuration is fairly straight forward. Tell fail2ban where your logs are, what ports to monitor, max number of retries unless you want the default.

Advertisements