Fail2ban – Framework to Block SSH Brute-force Attack

Fail2ban is a framework that you can use to scan log files (e.g. /var/log/apache/error_log) and bans IPs that show the malicious signs — too many password failures, seeking for exploits, etc. Generally the framework is then used to update firewall rules to reject the IP addresses for a specified amount of time, although any arbitrary other action (e.g. sending an email) could also be configured. Out of the box Fail2Ban comes with filters for various services (apache, courier, ssh, etc).

Fail2ban - Framework to Block SSH Brute-force Attack
Fail2ban – Framework to Block SSH Brute-force Attack

Fail2Ban is able to reduce the rate of incorrect authentications attempts however it cannot eliminate the risk that weak authentication presents. Configure services to use only two factor or public/private authentication mechanisms if you really want to protect services.

Main features available in Fail2ban are:

  • Client/Server architecture.
  • Multi-threaded.
  • Highly configurable using split configuration files
  • Gamin/Pyinotify support.
  • Parses log files and look for given patterns.
  • Executes command(s) when a pattern has been detected for the same IP address for more than X times to ban that address. X can be changed.
  • After a given amount of time, execute another command in order to unban the IP address.
  • Uses Netfilter/Iptables by default but can also use TCP Wrapper (/etc/hosts.deny) and many other firewalls/actions.
  • Handles log files rotation.
  • Can handle multiple services at once (sshd, apache, vsftpd, etc).

You can read more and download this tool over here: http://www.fail2ban.org/

Share