fail2ban is an intrusion prevention framework written in Python that protects Linux systems and servers from brute-force attacks.
monitor the strength and frequency of attacks.
can be setup to block IP addresses automatically based on specific paramenters.
sudo apt install fail2ban
sudo systemctl enable fail2ban-service
ls -al /etc/fail2ban
jail.conf file
should create a local jail: /etc/fail2ban/jail.local (not overwritten if fail2ban is updated)
sudo cp jail.conf jail.local
[sshd]
enabled = false # change to true and restart service
port = ssh
#make fail2ban look after the sshd service
filter = sshd
#log
logpath = /var/log/auth.log
#security option
#number of attempts allowed
maxretry = 3
bantime = 3600
#while list ip address (be cafeful not to look yourself out)
ignoreip = 127.0.0.1 192.168.1.0/24 192.168.1.100/32
cat /var/log/auth.log
log all the authentication attempts.
restart fail2ban everytime changing the jail files.
systemctl restart fail2ban.service
check if the service is active
systemctl status fail2ban.service
fail2ban-client status
fail2ban-client status sshd
Check which service on which port sudo netstat -tulpn
sudo fail2ban-client set sshd banip 192.16.249.189
sudo fail2ban-client set sshd unbanip 192.16.249.189