Fail2ban

This page describes Fail2ban.

Installation
Configuration

Installation

# apt-get install fail2ban

To limit memory usage, add to /etc/default/fail2ban:

+ulimit -s 256

TODO: IPv6 support

Configuration

Local config file

Create a local config file /etc/fail2ban/jail.local to override settings in jail.conf:

[DEFAULT]
destemail = root@localhost
banaction = shorewall
action    = %(action_mwl)s

This settings sends a mail on ban with detailed information and uses shorewall to set firewall rules.

SSH

To ban authentication via SSH after 3 failed attempts add the following to /etc/fail2ban/jail.local:

[ssh]
enabled   = true
port      = ssh
filter    = sshd
logpath   = /var/log/auth.log
maxretry  = 3

Restart:

# /etc/init.d/fail2ban restart

Postfix and Dovecot

To ban authentication to Postfix and Dovecot after 3 failed attempts add the following to /etc/fail2ban/jail.local:

[dovecot]
enabled = true
port = pop3,pop3s,imap,imaps
filter = dovecot
logpath = /var/log/mail.log
maxretry  = 3

[postfix]
enabled  = true
port     = smtp,ssmtp
filter   = postfix
logpath  = /var/log/mail.log
maxretry  = 3

[sasl]
enabled   = true
port      = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter    = sasl
logpath   = /var/log/mail.log
maxretry  = 3

Fail2ban (Debian Squeeze) isn't shipped with a configuration for Dovecot, so create /etc/fail2ban/filter.d/dovecot.conf:

[Definition]
failregex = (?: pop3-login|imap-login): .*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed).*rip=(?P<host>\S*),.*
ignoreregex =

Restart fail2ban:

# /etc/init.d/fail2ban restart

Apache

To ban IPs after 3 failed login attempts add the following to /etc/fail2ban/jail.local:

[apache]
enabled = true
port    = http,https
filter  = apache-auth
logpath = /var/log/apache*/*error.log
maxretry = 3