I have been using a quick and dirty shell script to update
/etc/hosts.deny file when brute-force attack flows into my server. It was pretty effective but was not effective enough to block the break-in attempts immediately. Today, I found a better solution – Fail2Ban. It scans the system log files and bans brute-force attacks for a certain period.
Most examples use
iptables, but I always prefer
/etc/hosts.deny and I don’t even care about unbanning once a host is banned. Therefore, I added the following to
[ssh-hostsdeny] enabled = true filter = sshd action = hostsdeny-nounban mail-whois[name=SSH, dest=ma[email protected]] logpath = /var/log/messages
[ssh-ddos-hostsdeny] enabled = true filter = sshd-ddos action = hostsdeny-nounban mail-whois[name=SSH-DDoS, [email protected]] logpath = /var/log/messages
Please note that I defined a new action called
hostsdeny-nounban, which doesn’t unban the attacker’s IP address once banned It’s
[Definition] actionstart = actionstop = actioncheck = actionban = IP=<ip> && grep -q "ALL: $IP" <file> || echo "ALL: $IP" >> <file> actionunban =
[Init] file = /etc/hosts.deny
For more information, I’d recommend you to read the Gentoo HOWTO fail2ban.