apt-get install fail2ban
nano /etc/fail2ban/jail.local
[ssh]
enabled = true port = ssh filter = sshd logpath = /var/log/auth.log maxretry = 6 [ssh-ddos] enabled = true port = ssh filter = sshd-ddos logpath = /var/log/auth.log
[nginx-auth] enabled = true filter = nginx-auth action = iptables-multiport[name=NoAuthFailures, port="http,https"] logpath = /var/log/nginx/error.log
[nginx-login] enabled = false filter = nginx-login action = iptables-multiport[name=NoLoginFailures, port="http,https"] logpath = /var/log/nginx/access.log
[nginx-badbots] enabled = true filter = apache-badbots action = iptables-multiport[name=BadBots, port="http,https"] logpath = /var/log/nginx/access.log maxretry = 1
[nginx-proxy] enabled = true action = iptables-multiport[name=NoProxy, port="http,https"] filter = nginx-proxy logpath = /var/log/nginx/access.log maxretry = 0
[nginx-dos] enabled = true port = http filter = nginx-dos logpath = /var/log/nginx/access.log findtime = 120 maxretry = 200
[dropbear]
enabled = false port = ssh filter = dropbear logpath = /var/log/auth.log maxretry = 6
Generic filter for pam. Has to be used with action which bans all ports
such as iptables-allports, shorewall
[pam-generic]
enabled = false
pam-generic filter can be customized to monitor specific subset of 'tty's
filter = pam-generic
port actually must be irrelevant but lets leave it all for some possible uses
port = all banaction = iptables-allports port = anyport logpath = /var/log/auth.log maxretry = 6
[xinetd-fail]
enabled = false filter = xinetd-fail port = all banaction = iptables-multiport-log logpath = /var/log/daemon.log maxretry = 2
[ssh-ddos]
enabled = false port = ssh filter = sshd-ddos logpath = /var/log/auth.log maxretry = 6
[ssh-route]
enabled = false filter = sshd action = route logpath = /var/log/sshd.log maxretry = 6
Here we use a combination of Netfilter/Iptables and IPsets
for storing large volumes of banned IPs
IPset comes in two versions. See ipset -V for which one to use
requires the ipset package and kernel support.
[ssh-iptables-ipset4]
enabled = false port = ssh filter = sshd banaction = iptables-ipset-proto4 filter = sshd banaction = iptables-ipset-proto4 logpath = /var/log/sshd.log maxretry = 6
[ssh-iptables-ipset6]
enabled = false port = ssh filter = sshd banaction = iptables-ipset-proto6 logpath = /var/log/sshd.log maxretry = 6
HTTP servers
[apache]
enabled = false port = http,https filter = apache-auth logpath = /var/log/apache/error.log maxretry = 6
default action is now multiport, so apache-multiport jail was left
for compatibility with previous (<0.7.6-2) releases
[apache-multiport]
enabled = false port = http,https filter = apache-auth logpath = /var/log/apache/error.log maxretry = 6
[apache-noscript]
enabled = false port = http,https filter = apache-noscript port = http,https filter = apache-noscript logpath = /var/log/apache/error.log maxretry = 6
[apache-overflows]
enabled = false port = http,https filter = apache-overflows logpath = /var/log/apache/error.log maxretry = 2
[apache-modsecurity]
enabled = false filter = apache-modsecurity port = http,https logpath = /var/log/apache/error.log maxretry = 2
[apache-nohome]
enabled = false filter = apache-nohome port = http,https logpath = /var/log/apache/error.log maxretry = 2
Ban attackers that try to use PHP's URL-fopen() functionality
through GET/POST variables. - Experimental, with more than a year
of usage in production environments.
[php-url-fopen]
enabled = false port = http,https filter = php-url-fopen logpath = /var/www/*/logs/access_log
[nginx-req-limit] enabled = true filter = nginx-req-limit action = iptables-multiport[name=ReqLimit, port="http,https", protocol=tcp] logpath = /var/log/nginx/*error.log findtime = 600 bantime = 7200 maxretry = 10
[nginx-conn-limit] enabled = true filter = nginx-conn-limit action = iptables-multiport[name=ConnLimit, port="http,https", protocol=tcp] logpath = /var/log/nginx/*error.log findtime = 300 bantime = 7200 maxretry = 100