up until now i have been manually blocking ip’s that attack my server but by the time i see them the attacks have normally finished but after the last big attack on my email server (some 35,000 attempts) i decided to find a way to automate the blocking. After a bit of research i decided to setup Fail2ban and here’s how i did it.
As i use a 3rd party repostories – EPEL i can just use yum to install it
yum install fail2ban
once installed i just needed to change the configuration to my liking, the config files can be found at “/etc/fail2ban”
first i edit “/etc/fail2ban/fail2ban.conf” and ensure the “logtarget” is set correctly
logtarget = /var/log/fail2ban.log
The default behaviour of fail2ban is configured in the file “/etc/fail2ban/jail.conf”. There’s a [DEFAULT] section that applies to all other sections unless the default options are overridden in the other sections.
I explain some of the configuration here:
ignoreip: This is a space-separated list of IP addresses that cannot be blocked by fail2ban.
bantime: Time in seconds that a host is blocked if it was caught by fail2ban (600 seconds = 10 minutes).
maxretry: Max. number of failed login attempts before a host is blocked by fail2ban.
filter: Refers to the appropriate filter file in “/etc/fail2ban/filter.d”.
logpath: The log file that fail2ban checks for failed login attempts.
so i edit “/etc/fail2ban/jail.conf” and add my ip to “ignoreip”.
then i just need to configure the jails i want to use, here’s my ssh jail
enabled = true
filter = sshd
action = iptables-multiport[name=SSH, port="ssh, 4564"]
sendmail-whois[name=SSH, dest=root, firstname.lastname@example.org]
logpath = /var/log/secure
maxretry = 3
Don’t forget to change the port to what ever port your ssh runs on and also set the “sender” and “dest” to your email.
I use a couple of other jails/filters which i’ll show you how i configured them but first i’ll show you how to start and check its running.
now check “/var/log/fail2ban.log” and make sure there’s no errors.
you can also check the rules are in iptables
now as i said i use a couple of custom filters here’s how i did them.
Create the filter file “/etc/fail2ban/filter.d/dovecot-pop3imap.conf” and add
failregex = (?: dovecot: pop3-login|imap-login): (?:Authentication failure|Aborted login \(auth failed|Aborted login).*rip=(<HOST>),.*
note: the failregex may need changing to suit your system.
now add the following to “/etc/fail2ban/jail.conf”
enabled = true
filter = dovecot-pop3imap
action = iptables-multiport[name=dovecot-pop3imap, port="110,143,995,993,25,465,587"]
sendmail-whois[name=dovecot-pop3imap, dest=root, email@example.com]
logpath = /var/log/maillog
maxretry = 5
findtime = 600
bantime = 3600
then just restart fail2ban
you can create all sorts of custom jails/filters just google for other ideas.