Installation
# apt-get install fail2ban
To limit memory usage, add to /etc/default/fail2ban:
+ulimit -s 256
Configuration
Local config file
Create a local config file /etc/fail2ban/jail.local to override settings in jail.conf:
SSH
To ban authentication via SSH after 3 failed attempts add the following to /etc/fail2ban/jail.local:
[ssh] enabled = true port = ssh filter = sshd logpath = /var/log/auth.log maxretry = 3
Restart:
# /etc/init.d/fail2ban restart
Postfix and Dovecot
To ban authentication to Postfix and Dovecot after 3 failed attempts add the following to /etc/fail2ban/jail.local:
[dovecot] enabled = true port = pop3,pop3s,imap,imaps filter = dovecot logpath = /var/log/mail.log maxretry = 3 [postfix] enabled = true port = smtp,ssmtp filter = postfix logpath = /var/log/mail.log maxretry = 3 [sasl] enabled = true port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s filter = sasl logpath = /var/log/mail.log maxretry = 3
Fail2ban (Debian Squeeze) isn’t shipped with a configuration for Dovecot, so create /etc/fail2ban/filter.d/dovecot.conf:
[Definition] failregex = (?: pop3-login|imap-login): .*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed).*rip=(?P\S*),.* ignoreregex =
Restart fail2ban:
# /etc/init.d/fail2ban restart
Apache
To ban IPs after 3 failed login attempts add the following to /etc/fail2ban/jail.local:
[apache] enabled = true port = http,https filter = apache-auth logpath = /var/log/apache*/*error.log maxretry = 3