Fail2Ban’s primary function is to block selected IP addresses that may belong to hosts that are trying to breach the system’s security. It determines the hosts to be blocked by monitoring log files (usually /var/log/auth.log) and bans any host IP that makes too many login attempts or performs any other unwanted action within a time frame defined by the administrator. In most cases people use it to limit the number of login attempts that are allowed against SSH within a period of time, this can make it very difficult for an attacker to brute for a login.
The process for installing fail2ban under Ubuntu is to
sudo apt-get install fail2ban sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/fail.local sudo /etc/init.d/fail2ban restart
after these initial steps have been completed if your running not running Ubuntu 9.04 you can skip the next section, unless your seeing Unexpected communication errors in the /var/log/fail2ban.log file.
These errors occur due to Ubuntu 9.04 running Python 2.6 by default so some modifications are neeed
sudo apt-get update sudo apt-get upgrade sudo apt-get install python2.5
sudo vim /usr/bin/fail2ban-server
Change the first line from
#!/usr/bin/python
to
#!/usr/bin/python2.5
Once completed restart fail2ban and the communication errors should no longer occur
sudo /etc/init.d/fail2ban restart
Now that fail2ban is installed and working the next step is to configure it for your needs the following is an example /etc/fail2ban/jail.local file which has been configured for protecting SSH. Settings in jail.local will override the ones in jail.conf this is an example where all of the jails have been removed except the one for SSH.
# Fail2Ban local configuration file. [DEFAULT] ignoreip = 127.0.0.1 111.111.111.111 # Here you want to ignore IP's such as the IP of the Server its self, your IP and any other IPs that its important are not locked out. bantime = 600 # Default ban time for all jails of 10 minutes maxretry = 3 destemail = [email protected] # Email of where alerts should be sent to banaction = iptables-multiport # Ban action mta = ssmtp # MTA to be used im using ssmtp in the case but you could be using sendmail [ssh] # This rule monitors ssh login attempts recorded in the /var/log/auth.log file and blocks the user after 3 attempts with the default bantime of 10 minutes enabled = true port = ssh filter = sshd action = iptables[name=SSH, port=ssh, protocol=tcp] sendmail-whois[name=SSH, [email protected], [email protected]] logpath = /var/log/auth.log maxretry = 3