= Introduction = Fail2Ban is an intrusion prevention framework written in the Python programming language. It works by reading SSH, ProFTP, Apache logs etc.. and uses iptables profiles to block brute-force attempts. = Installation = To install fail2ban, type the following in the terminal: {{{ sudo apt-get install fail2ban }}} == Configuration == To configure fail2ban, make a 'local' copy the jail.conf file in /etc/fail2ban {{{ cd /etc/fail2ban sudo cp jail.conf jail.local }}} Now edit the file: {{{ sudo nano jail.local }}} Set the IPs you want fail2ban to ignore, the ban time (in seconds) and maximum number of user attempts to your liking: {{{ [DEFAULT] # "ignoreip" can be an IP address, a CIDR mask or a DNS host ignoreip = 127.0.0.1 bantime = 3600 maxretry = 3 }}} == Email Notification == Note: You will need sendmail or any other MTA to do this. If you wish to be notified of bans by email, modify this line with your email address: {{{ destemail = your_email@domain.com }}} Then find the line: {{{ action = %(action_)s }}} and change it to {{{ action = %(action_mw)s }}} == Jail Configuration == Jails are the rules which fail2ban apply to a given application/log: {{{ [ssh] enabled = true port = ssh filter = sshd logpath = /var/log/auth.log maxretry = 3 }}} To enable the other profiles, such as [ssh-ddos], make sure the first line beneath it reads: {{{ enabled = true }}} Once done, restart fail2ban to put those settings into effect {{{ sudo /etc/init.d/fail2ban restart }}} == Advanced: Filters == If you wish to tweak or add log filters, you can find them in {{{ /etc/fail2ban/filter.d }}} == Testing == To test fail2ban, look at iptable rules: {{{ sudo iptables -L }}} Attempt to login to a service that fail2ban is monitoring (preferably from another machine) and look at the iptable rules again to see if that IP source gets added. = External Links = * http://www.fail2ban.org/wiki/index.php/Main_Page - Official Fail2ban Website. * http://denyhosts.sourceforge.net/ - DenyHosts ---- CategorySecurity Remarks (Robert van Reems): To test fail2ban on Ubuntu 12.04 server edition a reboot is required. Restarting or reloading the service didn't work.