Some nasty people out in the open internet find it amusing to try and hack your ssh/www/ftp service. You have chosen a secure login and password, but your logfile is getting crammed and you don’t like that.
There is a small python script named fail2ban. It keeps an eye on the specified logfile and logs failed login attempts. After a specified amount of failed attempts it uses iptables to ban the ip for a specified amount of time or runs a user defined command.
Christian Rauch offers rpm packages on his ftp server: I used version 0.8.0 which is available since 2007-05-03.
rpm -i fail2ban-0.8.0-0.rauch.3.SuSE1020.noarch.rpm
You’ll find the additional download links on the official project page:
After installation, edit the two main config files with your favorite editor.
In the fail2ban.conf you’ll find the logging configuration.
In the jail.conf you’ll find the definitions of the services you want to monitor. The file is commented very well, so there should be no problem finding the options you need.
Look especially at the options in the top of the file under [DEFAULT].
The “findtime”, the length of time fail2ban remembers a login attempt, is with 10 minutes a bit long for my taste. So I change it to 1 minute:
findtime = 60
I want to monitor vsftpd, but I don’t want to be informed when somebody has been banned. This happens far to often. So this is what my entry looks like:
[vsftpd-iptables] enabled = true filter = vsftpd action = iptables[name=VSFTPD, port=ftp, protocol=tcp] logpath = /var/log/vsftpd.log maxretry = 5 bantime = 1800
Now I start fail2ban:
Fail2ban now monitors the logfile from vsftpd. If someone tries to log in and fails 5 times in a row inside a 1 minute timeframe his (or her) ip address gets banned for 1800 seconds (30 minutes). That should be enough to discourage any bot.
You can monitor changes or debug you configuration by increasing the log level in the fail2ban.conf and listing the fail2ban logfile:
less +F /var/log/fail2ban.log
You need to have python 2.4 and iptables installed and should use syslog-ng as system logger.