Responding to attacks using fail2ban

Responding to attacks using fail2ban

Internet servers are constantly attacked by malicious agents these days. They may be trying to break the root account, as we explained in knowledgebase/linux/misc/Preventing Brute Force SSH Attacks, posting spammy comments or trackbacks on your site, or simply trying to take your server down.

This is a daily problem for many sysadmins, specially with the increase in quantity and size of so-called Botnets. These botnets are networks of usually hijacked computers controlled by black hats. They are used to generate revenue from massive spam, or to take servers or whole networks down through DDoS.

Since these attacks come from multiple sources, including DSL and dial-up hosts, it's virtually impossible to react in a traditional way, that is, sending mail to all the abuse@ contacts for those hosts, and coordinating a solution.

Fail2ban as a simple but effective defense system against brute force and DDoS attacks

We've found at Rimuhosting that there are very effective ways to defend yourself from remote attacks using FOSS tools like Fail2ban.

Fail2ban is a tool that scans log files and react to possible attacks using pre-defined measures, like updating firewall rules. It has a set of default rules which you can activate after installation by changing a few lines at a config file, and it will start monitoring your logs after known attack signatures.

It's not hard to install or use, and it can be customized to do many cool things to help you keep your server up and running.

It can be seen as a very simple IDS and IPS.It's much less powerful and flexible than Snort ( http://www.snort.org/ ), but much more simple and lightweight - perfect to use in a VPS.

(how to install)

(standard config)

(custom config)

(references)

Securing Your Server

http://www.fail2ban.org

http://debaday.debian.net/2007/04/29/fail2ban-an-enemy-of-script-kiddies