Fail2ban

2009-08-03 14:20

If you discover lots of ssh connection tries in your /var/log/auth.log (bots testing users/passwords), you have to do something.

The simpler is to use an IP restriction rule in your iptables firewall, or in /etc/hosts.deny

If you don’t want or can’t use this restriction, use Fail2ban:

aptitude install fail2ban

The default install blocks SSH connection tries.

You can tune the config a bit or activate Fail2ban for other services. Example:

vi /etc/fail2ban/jail.conf
bantime  = 86400
maxretry = 10 # pour ssh
enabled  = true # pour vsftpd
maxretry = 10 # pour vsftpd

Then, the iptables -L command gives you all banned IP addresses.

2009-08-03 14:20 · Tags: , ,

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>