Comments on Preventing Brute Force Attacks With Fail2ban On Debian Etch

Would this jail.local config file work on Ubuntu server 8.04?

Thanks! 

They haven't found mine yet ;). Been running non-standard for close to a year. It helps that I do filtering, and already use ipt_recent rules... that already helped, but I grew tired of seeing them at all, so I just changed port on the f**kers.

Its a matter of time.  They will find you.  Portscanning is common and if you are not being scanned, maybe you are not very 'interesting' to them.  That's not a bad thing, but if you haven't been bruteforced yet, you will.  Fail2ban is helpful, as are any other bruteforce scripting tools out there (and there are dozens of them)

Use portsentry + fail2ban + ssh in a not default port.

excellent guide, works right away, and you know what, the 'smart' bots now seems to know we are using fail2ban and completely stopped attacking my port 22, i am sure they have a 'central bot database network' which stops other bots from wasting time attacking my IP

According to me, fail2ban is :

• efficient
• very easy to configure
• fly weight

 I have fail2ban installed on my personnal server, which was often attacked by robots via ssh.

Fail2ban blocks all robots, consequently my system has more free RAM and CPU. 

 Regards,

Jagabullox. 

in case of bots attacking sshd you could just put it on a non-standard port ;) definately since your talking about a private (home) server.   

using a non-standard port is not considered effective or practical for clients. any good bot will port scan. server maintenance is an ongoing practice. fail2ban looks good.

I changed my port but that doesn't help. In few hours bots find my new port.

Occasionally fail2ban will refuse to restart. If I don't check my mails every morning and have a look at the start/stop mails I'll run into trouble after a while. Fail2ban will refuse to work, processes will hang and I'll have to kill them manually, delete the PID file and fire fail2ban up again :(
 

Well, just a minor correction in Falko's example jail.local section,

as copied verbatim below: 

[apache]

enabled = true
port    = http
filter  = apache-auth
logpath = /var/log/apache*/*error.log
maxretry = 5

the variable logpath above should point to:

logpath = /var/log/apache*/*access.log

That's all 

 I have this working under Ubuntu 8.04, It's been mentioned a couple of times in the forum, 

 If you get the message in your logfile 

  WARNING Invalid command: ['set', 'courierpop3', 'failregex', 'courierpop3login: LOGIN FAILED.*ip=\\[.*:<HOST>\\]']

 I managed to get it running with the following changes:

 in the /etc/fail2ban/jail.conf I removed the regex line:

 [pop3d]

enabled  = true
port     = pop3
filter   = pop3d
logpath  = /var/log/mail.log
maxretry = 5

THANKS!

Great! I didn't know you could actually write your regular expressions directly into the .local files. I had them in separate files after following this guide: http://penguinapple.blogspot.com/2010/12/installing-fail2ban-other-step-in.html. I guess that if you get a lot of rules separate files are ok too.

 Thanks for taking the time to write this.

Hey, thanks for you excellent guides, but anyway fail2ban blocks my internal xrdp connection, how can I monitor xrdp?

 regards, DR

There are a number of tools to address brute force/dictionary attacks. Fail2ban and DenyHost are two being around the longest. I recently switched from fail2ban to sshguard, because it's written in C and it seems more consistently maintained. Also, sshguard did not require any configuration besides apt-get on my debian box.

The howtoforge.com is now my biggest  reference in terms of Linux servers, especially the master Falko Timme to whom I am very grateful.
Happiness and long life to all who do Howtoforge.