fail2ban

This intrusion detection system can be configured to analyse log files with giving regular expressions and generate firewall rules for different firewalls. Also fail2ban is written in python, which makes it a very portable solution, which can be used under many different operating systems.

The configuration is simple: We assume the ‘settings folder’ of fail2ban to be called /usr/local/etc/fail2ban/ and this may vary. But inside that folder we have subfolders called action.d, filter.d and jail.d and once one knows how files under jail.d are expected to look like, the configuration becomes relatively trivial:

This file defines, that there must be another configuration file, called bsd-sshd inside the filter.d folder and you will find many of those filters pre-installed there. After maxretry entries of a given ip address in a given time window are found, the action will be performed. How the action works gets defined in a file under action.d, which is called pf.conf in this example in order to instruct the pf firewall to block the IP address. Porting this script to a linux machine can therefore be done by replacing pf with iptables.

Quick reference

common mistakes

– the configuration files under jail.d must start with their own name in square brackets or they will not be sucked in or shown in fail2ban-client status

max,