After going through a digital mountain of server logs on one of my servers, I’ve noticed that people are routinely trying to brute force their way via SSH to login as root. Even though root has been locked out, this is just noise in my logs that I’d rather not have to sift through. Fail2ban will automatically block access from an IP after a set number of failed attempts for a period of time (default of 10 minutes or 600 seconds).
To install it on a Debian/Ubuntu box run
apt-get install fail2ban
Instead of using the config file that comes with the package, we’ll use a local copy of it you can do that by running
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
To prevent locking yourself out, you can add your own IP address in the ignoreip line. It should look something like this
Ignoreip = 127.0.0.1/8 126.96.36.199
Where 188.8.131.52 is your IP address. If you have a dynamic IP, you can use a CIDR mask.
Save and exit
By default, it already has a service that looks at SSH and HTTP amongst other things. As long as it covers SSH that’s fine with me. The fact that it’ll look at HTTP and other services is a bonus.
Restart the service by running
/etc/init.d/fail2ban restart or service fail2ban restart