When an attempted compromise is located, using the defined parameters, Fail2ban adds a new rule to iptables to block the IP address of the attacker, either for a set amount of time, or permanently. Fail2ban can also alert you through email that an attack is occurring. Fail2ban is primarily focused on SSH attacks, although it can be further configured to work for any service that uses log files and can be subject to a compromise.
apt-get install fail2ban
(Optional) If you would like email support, install Sendmail:
apt-get install sendmail-bin sendmail
/etc/fail2ban/fail2ban.conf — contains general settings for the fail2ban-server daemon, such as the logging level and target..
/etc/fail2ban/jail.conf — contains the declaration of your jails. By default, some sections are inserted as templates. You must enable the sections of interest and adapt to your local configuration.
Every .conf file can be overridden with a file named .local. The .conf file is read first, then .local, with later settings overriding earlier ones. Thus, a .local file doesn't have to include everything in the corresponding .conf file, only those settings that you wish to override.
Modifications should take place in the .local and not in the .conf. This avoids merging problem when upgrading. These files are well documented and detailed information should be available there. So, if you need:
cp /etc/fail2ban/fail2ban.conf /etc/fail2ban/fail2ban.local
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Sample jail.conf
[DEFAULT]
bantime = 10m
findtime = 10m
maxretry = 5
[ssh]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
#mail-whois[name=SSH, dest=yourmail@mail.com]
maxretry = 6
filter - Name of the filter to be used by the jail to detect matches. Each single match by a filter increments the counter within the jail
logpath (/var/log/messages) - Path to the log file which is provided to the filter
maxretry (3) - Number of matches (i.e. value of the counter) which triggers ban action on the IP.
findtime (600 sec) - The counter is set to zero if no match is found within "findtime" seconds.
bantime (600 sec) - Duration (in seconds) for IP to be banned for. Negative number for "permanent" ban.
sudo systemctl status fail2ban # Status daemon
sudo systemctl restart fail2ban # Restart daemon
sudo fail2ban-client status # List of rules
sudo fail2ban-client status sshd # Statistics of rule sshd
sudo fail2ban-client set ssh unbanip 218.219.220.221 # Unban ip 218.219.220.221
sudo journalctl -b -u fail2ban
sudo tail -F /var/log/fail2ban.log
*If logfile do not exist fail2ban give error.