I have been using a quick and dirty shell script to update /etc/hosts.deny file when brute-force attack flows into my server. It was pretty effective but was not effective enough to block the break-in attempts immediately. Today, I found a better solution – Fail2Ban. It scans the system log files and bans brute-force attacks for a certain period.
Most examples use iptables, but I always prefer /etc/hosts.deny and I don’t even care about unbanning once a host is banned. Therefore, I added the following to /etc/fail2ban/jail.conf:
[ssh-hostsdeny]
enabled = true
filter = sshd
action = hostsdeny-nounban
mail-whois[name=SSH, [email protected]]
logpath = /var/log/messages
[ssh-ddos-hostsdeny]
enabled = true
filter = sshd-ddos
action = hostsdeny-nounban
mail-whois[name=SSH-DDoS, [email protected]]
logpath = /var/log/messagesPlease note that I defined a new action called hostsdeny-nounban, which doesn’t unban the attacker’s IP address once banned It’s /etc/fail2ban/action.d/hostsdeny-nounban.conf:
[Definition]
actionstart =
actionstop =
actioncheck =
actionban = IP=<ip> && grep -q "ALL: $IP" <file> || echo "ALL: $IP" >> <file>
actionunban =
[Init]
file = /etc/hosts.denyFor more information, I’d recommend you to read the Gentoo HOWTO fail2ban.