This howto is going to assume you have a working Debian or Debian based system currently running. It is also intended to be copied and pasted directly into your telnet/ssh window.
The package I am going to be using is called fail2ban. Fail2ban scans log files and bans IP addresses that produce too many failed login attempts. It then updates firewall rules to reject the attackers IP address.
Step 1: Installing the fail2ban package
Type or copy and paste the following into your server.
apt-get install fail2ban
Once this is done, you are now setup and now you have to setup the configuration files.
Step 2:
Edit /etc/fail2ban/fail2ban.conf
nano -w /etc/fail2ban/fail2ban.conf
Your fail2ban.conf should look something like this (the commented lines have been removed)
[Definition]
loglevel = 3
logtarget = /var/log/fail2ban.log
socket = /tmp/fail2ban.sock
Step 3:
Edit /etc/fail2ban/jail.conf
nano -w /etc/fail2ban/jail.conf
Your jail.conf should look something like this (again comments have been removed)
[DEFAULT]
ignoreip = 127.0.0.1
bantime = 18000
maxretry = 3backend = polling
destemail = youremail@domain.com
action = iptables[name=%(__name__)s, port=%(port)s]
mail-whois-lines[name=%(__name__)s, dest=%(destemail)s, logpath=%(logpath)s][ssh]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 6[apache]
enabled = false
port = http
filter = apache-auth
logpath = /var/log/apache*/*access.log
maxretry = 6[apache-noscript]
enabled = false
port = http
filter = apache-noscript
logpath = /var/log/apache*/*error.log
maxretry = 6[vsftpd]
enabled = false
port = ftp
filter = vsftpd
logpath = /var/log/auth.log
maxretry = 6[proftpd]
enabled = false
port = ftp
filter = proftpd
logpath = /var/log/proftpd/proftpd.log
maxretry = 6[wuftpd]
enabled = false
port = ftp
filter = wuftpd
logpath = /var/log/auth.log
maxretry = 6[postfix]
enabled = false
port = smtp
filter = postfix
logpath = /var/log/mail.log[couriersmtp]
enabled = true
port = smtp
filter = couriersmtp
logpath = /var/log/mail.log[courierimap]
enabled = true
port = imap2
filter = courierlogin
failregex = imapd: LOGIN FAILED.*ip=\[.*:\]
logpath = /var/log/mail.log
maxretry = 5[courierpop3]
enabled = true
port = pop3
filter = courierlogin
failregex = courierpop3login: LOGIN FAILED.*ip=\[.*:\]
logpath = /var/log/mail.log
maxretry = 5[sasl]
enabled = true
port = smtp
filter = sasl
failregex = warning: [-._\w]+\[\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed
logpath = /var/log/mail.log
Please change the email section if you are going to directly copy and paste this config. Right now, when someone attempts a bruteforce attack, fail2ban will firewall the ip address, and send an email to that email address with the whois information, and the log information from the attack.
You can now start/restart fail2ban, I recommend using a restart just in case fail2ban is already running.
/etc/init.d/fail2ban restart
Please don’t use this as your only security measure. This is just one step you can take to protecting your servers.
