Re: fail2ban [was: howto block ssh brute-force]

To: debian-security@lists.debian.org
Subject: Re: fail2ban [was: howto block ssh brute-force]
From: Ralph Katz <ralph.katz@rcn.com>
Date: Mon, 13 Mar 2006 13:52:03 -0500
Message-id: <[🔎] 4415BF53.6020908@rcn.com>
In-reply-to: <[🔎] 44155293.5010906@tux4u.de>
References: <[🔎] 44155293.5010906@tux4u.de>

On 03/13/2006, johannes weiß wrote:

> this is the std config. But it's widely configurable (e.g.:
> --- SNIP (fail2ban.conf, std config) ---
> fwban = iptables -I fail2ban-%(__name__)s 1 -s <ip> -j DROP
> fwunban = iptables -D fail2ban-%(__name__)s -s <ip> -j DROP
> maxfailures = 5
> bantime = 600
> findtime = 600
> --- SNAP ---
> 
> 
>> to iptables whenever 1.2.3.4/32 has too many login failures?
>>   
> 
> 
> it executes "fwban" if an IP has more than "maxfailures" failures in "findtime". This ban will be removed after "bantime" seconds.
> Also configurable:
> - Mail sending
> - Apache (htaccess) checks
> - I'm pretty sure that also other auth-log-files could be parsed(by regexp) if you want to.
> 
> 
>> Does it expire entries?
>>   
> 
> 
> (yes after "bantime" seconds)

Here's a recent entry from /var/log/fail2ban.log:

2006-03-13 12:57:55,516 INFO: SSH: 161.45.164.113 has 6 login
failure(s). Banned.
2006-03-13 12:57:55,532 WARNING: SSH: Ban 161.45.164.113
2006-03-13 13:07:55,742 WARNING: SSH: Unban 161.45.164.113

Search for fail2ban or ssh brute force attacks on debian-user for more
discussions on the subject.

Regards,
Ralph

Reply to:

Follow-Ups:
- No suitable pubkey ?
  - From: "DeMZed" <demzed@gmail.com>

References:
- Re: fail2ban [was: howto block ssh brute-force]
  - From: johannes weiß <weissi_ml@tux4u.de>

Prev by Date: RE: [SECURITY] [DSA 996-1] New Crypt::CBC packages fix cryptographic weakness
Next by Date: Re: Idea to secure ssh [was: howto block ssh brute-force]
Previous by thread: Re: fail2ban [was: howto block ssh brute-force]
Next by thread: No suitable pubkey ?
Index(es):
- Date
- Thread