Fail2Ban is an application that prevents dictionary attacks on your server. When Fail2Ban detects multiple failed login attempts from the same IP address, it creates temporary firewall rules that block traffic from the attacker’s IP address. Attempted logins can be monitored on a variety of protocols, including SSH, HTTP, and SMTP. By default, Fail2Ban monitors SSH only.
Install Fail2Ban by entering the following command:
sudo apt-get install fail2ban
Optionally, you can override the default Fail2Ban configuration by creating a new
jail.local file.
Enter the following command to create the file:
sudo nano /etc/fail2ban/jail.local
Set the bantime variable to specify how long (in seconds) bans should last.
Set the maxretry variable to specify the default number of tries a connection may be attempted before an attacker’s IP address is banned.
Press Control-x and then press y to save the changes to the Fail2Ban configuration file.
Restart Fail2Ban by using sudo service fail2ban restart.
Fail2Ban is now installed and running on your Server. It will monitor your log files for failed login attempts. After an IP address has exceeded the maximum number of authentication attempts, it will be blocked at the network level and the event will be logged in
/var/log/fail2ban.log.
