Fail2ban
Commands
To see the list of jails active:
fail2ban-client status
To see the status of a jail and if it banned any IP:
fail2ban-client status sshd
Install common
After installing fail2ban configure:
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local vi /etc/fail2ban/jail.local
Add: "'enable=true'" under each of the services installed. SSH, Apache, Nginx, Vsftp, etc. Specially interesting is to enable the 'pam-generic', and in fedora/centos you need to change:
logpath = /var/log/secure
instead of
logpath = /var/log/auth.log
Also add the ,23 besides the ssh port for the ssh. See section below.
If you have reverse tunnels to other server also add:
ignoreip =
So that 127.0.0.1 is also blocked (reverse connections arrive from 127.0.0.1)
Restart the service,
systemctl start fail2ban
if it does not restart see the reason:
fail2ban-client -v -v start
Install Fail2ban on Ubuntu
apt-get install fail2ban sudo service fail2ban restart sudo update-rc.d fail2ban enable
Install Fail2ban on CentOS/Fedora
Instead of installing with yum install fail2ban, use:
yum install fail2ban-server fail2ban-systemd systemctl enable fail2ban systemctl restart fail2ban
The packet fail2ban also installs the Firewalld, which blocks by default all traffic after restarting the server.
Info: http://pkgs.org/centos-7/puias-unsupported-x86_64/fail2ban-server-0.9.2-1.sdl7.noarch.rpm.html
Enable mail
yum install fail2ban-sendmail
Fail2ban when ssh in telnet port
This are no failures in sense of authentication (because login does not take place).
But if you will that yet, just copy /etc/fail2ban/filter.d/sshd.conf into /etc/fail2ban/filter.d/sshd.local and add following to the failregex:
^%(__prefix_line)sBad protocol version identification '.*' from <HOST> port \d+\s*$
^%(__prefix_line)sDid not receive identification string from <HOST>\s*$
Add the ,23 besides the ssh port in the /etc/fail2ban/jail.local
[sshd] port = ssh,23