Fail2ban is a log-parsing application that monitors system logs for symptoms of an automated attack on your Server
Fail2ban is primarily focused on SSH attacks, although it can be further configured to work for any service that uses log files and can be subject to a compromise.

 

Installing Fail2ban

apt-get install fail2ban

General Settings within Fail2Ban

To make modifications, we need to copy this file to /etc/fail2ban/jail.local. This will prevent our changes from being overwritten if a package update provides a new default file

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Open the newly copied file

sudo nano /etc/fail2ban/jail.local

 

 

IP Whitelisting and ban time

These will be found under the [DEFAULT] section within the file. These items set the general policy and can each be overridden in specific jails.
Add any IPs to the ignoreip line that you wish Fail2ban to ignore
/etc/fail2ban/jail.local

[DEFAULT]

ignoreip = 127.0.0.1/8 123.45.67.89

 

Ban Time
you may want to adjust is the bantime, which controls how many seconds an offending member is banned for

[DEFAULT]

# "bantime" is the number of seconds that a host is banned.
bantime  = 3600 

# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime = 3600
maxretry = 3

 

Email Alerts

If you wish to receive email when Fail2ban is triggered, adjust the email settings:
you have your MTA set up, you will have to adjust some additional settings within the [DEFAULT]

destemail: The email address where you would like to receive the emails.
sendername: The name under which the email shows up.
sender: The email address from which Fail2ban will send emails

[DEFAULT]

mta = mail
destemail = [email protected]
sendername = Fail2BanAlerts

You can use the action_mw action to ban the client and send an email notification to your configured account with a “whois” report on the offending address. You could also use the action_mwl action, which does the same thing, but also includes the offending log lines that triggered the ban

[DEFAULT]

action = %(action_mwl)s

 

Configuring Fail2Ban to Monitor Apache Logs

These will be found under the [apache] section within the file. These items set the general policy and can each be overridden in specific jails.

To enable log monitoring for Apache login attempts, we will enable the [apache] jail. Edit the enabled directive within this section so that it reads “true”:

[apache]

enabled  = true
port     = http,https
filter   = apache-auth
logpath  = /var/log/apache*/*error.log
maxretry = 6
findtime = 600

[apache-noscript] jail is used to ban clients that are searching for scripts on the website to execute and exploit. If you do not use PHP or any other language in conjunction with your web server, you can enable this jail to ban those who request these types of resources:

[apache-noscript]

enabled  = true

The [apache-overflows] jail is used to block clients who are attempting to request unusually long and suspicious URLs. These are often signs of attempts to exploit Apache by trying to trigger a buffer overflow. You can enable this jail if you wish to prevent these types of attacks:

[apache-overflows]

enabled  = true
port     = http,https
filter   = apache-overflows
logpath  = /var/log/apache*/*error.log
maxretry = 2

 

Protect SSH with Fail2Ban

These will be found under the [SSH] section within the file. These items set the general policy and can each be overridden in specific jails.

[ssh]

enabled  = true
port     = ssh
filter   = sshd
logpath  = /var/log/auth.log
maxretry = 6

 

Protect Mail with Fail2Ban

Our Mail smtp is Postfix, you can use anyone, like sendmail etc..

An often used attack vector is brute forcing MTA logins. While most admins watch ssh auth logs like a hawk, email auth/login logs are most often not closely watched for this sort of thing if at all.
Prevent a Postfix brute force attack!

[postfix]

enabled  = true
port     = smtp,ssmtp
filter   = postfix
logpath  = /var/log/mail.log
maxretry = 5

Also do the same for the [sasl] section if you use sasl auth:

[sasl]

enabled  = true
port     = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter   = sasl
logpath  = /var/log/mail.log

 

Save then implement your changes, you’ll need to restart the fail2ban service. do that by typing:

 sudo service fail2ban restart

Check Postfix status

sudo fail2ban-client status postfix

Check SSH status

sudo fail2ban-client status ssh

Check apache status

sudo fail2ban-client status apache