Jan 22

Securing ssh and other service daemons with fail2ban

Category: Linux,webserver   — Published by tengo on January 22, 2012 at 11:30 am

On Debian Squeeze do this

apt-get install fail2ban

to install fail2ban on your system.

Fail2Ban's conf files live in /etc/fail2ban,  the structure of these config files is explained here.
Fail2Ban comes with a number of prepared config files for various services.But these templates have to be "activated" by editing the /etc/fail2ban/jail.conf config file. It is separated into sections, uncommenting these sections leads to fail2ban monitoring logs and stuff related to this service. For ssh, Apache, some FTP servers and common services fail2ban is "activated" by default but checking settings shouldn't hurt.

About fail2ban:

Fail2ban scans log files (e.g. /var/log/apache/error_log) and bans IPs that show the malicious signs -- too many password failures, seeking for exploits, etc. Generally Fail2Ban then used to update firewall rules to reject the IP addresses for a specified amount of time, although any arbitrary other action (e.g. sending an email, or ejecting CD-ROM tray) could also be configured. Out of the box Fail2Ban comes with filters for various services (apache, curier, ssh, etc).