Fail2ban is an important software for system administrator. It scans log files (e.g. /var/log/auth.log) and bans IPs that show malicious signs, something like too many password failures and looking for exploits.
To install fail2ban, execute this command:
# apt-get install fail2ban
Open the configuration file to activate some rules:
# nano /etc/fail2ban/jail.conf
Find following line to set email destination for notification:
destemail = root@yourdomain.com
Find following line to set ban time:
bantime = 3600
To enable ssh protection, make sure the file contains the following lines:
[ssh] enabled = true port = ssh filter = sshd logpath = /var/log/auth.log maxretry = 4
You can adjust logpath and maxretry to suit your own setting.
To enable apache protection, make sure the file contains the following lines:
[apache] enabled = true port = http,https filter = apache-auth logpath = /var/log/apache*/*error.log maxretry = 4
To enable vsftpd protection, make sure the file contains the following lines:
[vsftpd] enabled = true port = ftp,ftp-data,ftps,ftps-data filter = vsftpd logpath = /var/log/vsftpd.log maxretry = 4
Restart fail2ban:
# /etc/init.d/fail2ban restart
Monitor fail2ban log:
# tail -f /var/log/fail2ban.log