Fail2ban is an intrusion prevention framework which scans the log files on your system (such as: var/log/secure) and spots repeated password failures.

Too many failures, and it will update your firewall to drop all traffic from the offending IP address. Pretty handy, and enough to stop the casual hacker with a dictionary attack.

Fail2ban is very flexible and can be configured to work with any service that writes to a logfile, but here’s the basics to get you up and protected in a few minutes.

1. Get the files

cd to /tmp for a nice place for them to land, then

wget http://sourceforge.net/projects/fail2ban/files/fail2ban-stable/fail2ban-0.8.4/fail2ban-0.8.4.tar.bz2/download

2. Extract them

tar -xf fail2ban-0.8.4.tar.bz2

3. Head to the new directory and install

cd fail2ban-0.8.4

then (you need to have python installed)…

python setup.py install

All installed ok?

4. Get it starting up automatically

cp files/redhat-initd /etc/init.d/fail2ban

chkconfig --add fail2ban

chkconfig fail2ban on

5. Config

You’ll need to turn some stuff on, and fiddle with settings to your liking in:

/etc/fail2ban/jail.conf

If you’re enabling SSH-iptables, then the path for SSH monitoring needs to be changed to /var/log/secure

You can determine the services being monitored, number of retries a user is allowed, as well as the ban time in this settings file.

Once you’re configured, start the service with:

service fail2ban start

And you’re done.