Actively Combat Hackers on Your Linux Server With Fail2Ban

 (Photo credit: Wikipedia)

I've already mentioned that I have moved off of Google Apps for my email onto my own email server running on Linux using iRedmail. One of the components that comes with the iRedmail package is a really bad-ass utility that acts as a one application army for combating hackers who are trying to gain access to your Linux server.

The tool is called Fail2Ban, and it works along side your iptables firewall by actively scanning your server's logs for suspicious activity, and automatically creating firewall rules to thwart the attacker.

From their page:

Fail2ban scans log files (e.g. /var/log/apache/error_log) and bans IPs that show the malicious signs -- too many password failures, seeking for exploits, etc. Generally Fail2Ban then used to update firewall rules to reject the IP addresses for a specified amount of time, although any arbitrary other action (e.g. sending an email, or ejecting CD-ROM tray) could also be configured. Out of the box Fail2Ban comes with filters for various services (apache, curier, ssh, etc).

It works so good in fact, that when I setup a monitor for my webmail page that pings the site every five minutes, Fail2Ban thought it was suspicious and blocked them. I had to add their IP's to the Fail2Ban ignore list to get monitoring to work again.

Do you use Fail2Ban? Do you know of something better? Let us know in the comment.

Related articles

• Fail2ban 0.8.9, Denial of Service (Apache rules only)
• Fail2ban
• Seguridad en servidores 0 8-6
• Sshguard