Thursday, October 23, 2014

Auto block IP address with many login fail to ssh server

1- install ssh server and start its service
root@server# apt-get install openssh-server
root@server# service ssh restart

2- install fail2ban and run it, (fail2ban will analyze the log and auto block ip )
root@server# apt-get install fail2ban
root@server# service fail2ban restart

3- testing and check the result
root@server# tail -f /var/log/fail2ban.log
2014-10-23 08:25:58,225 fail2ban.jail   : INFO   Jail 'ssh' stopped
2014-10-23 08:25:58,226 fail2ban.server : INFO   Exiting Fail2ban
2014-10-23 08:25:58,436 fail2ban.server : INFO   Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.6
2014-10-23 08:25:58,436 fail2ban.jail   : INFO   Creating new jail 'ssh'
2014-10-23 08:25:58,437 fail2ban.jail   : INFO   Jail 'ssh' uses Gamin
2014-10-23 08:25:58,495 fail2ban.filter : INFO   Added logfile = /var/log/auth.log
2014-10-23 08:25:58,496 fail2ban.filter : INFO   Set maxRetry = 6
2014-10-23 08:25:58,496 fail2ban.filter : INFO   Set findtime = 600
2014-10-23 08:25:58,496 fail2ban.actions: INFO   Set banTime = 600
2014-10-23 08:25:58,515 fail2ban.jail   : INFO   Jail 'ssh' started



----note--- the ssh rule is automatically added when install fail2ban ---

using client on ip address 10.0.3.1 to login incorrect many time





check iptables rule on the server


No comments:

Post a Comment