====== Fail2ban ======
I use fail2ban on services which are public facing to monitor logs and block remote IP's which are attempting to brute force attack for usernames and passwords.
Debian Installation
SSH
Dovecot
Asterisk
====== Debian Installation ======
aptitude install python-gamin fail2ban
/etc/fail2ban/jail.local:
[DEFAULT]
bantime = 1800
maxretry = 3
ignoreip = 127.0.0.1 10.1.0.0/16
action = mail
backend = auto
====== SSH ======
/etc/fail2ban/jail.local:
[ssh]
enabled = true
filter = sshd
logpath = /var/log/auth.log
maxretry = 4
action = shorewall[name=%(__name__)s]
sendmail-whois-lines[name=%(__name__)s,logpath=%(logpath)s]
====== Dovecot ======
/etc/fail2ban/filter.d/dovecot.conf:
# Fail2Ban configuration file
#
# Author: Ian Samuel
#
# $Id$
#
[Definition]
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching.
# Values: TEXT
#
# Mar 21 19:06:55 hostname dovecot: auth(default): checkpassword(username,127.0.0.1): Child 15191 exited with status 111
failregex = checkpassword\(.*,<HOST>\):
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
/etc/fail2ban/jail.local:
[dovecot]
enabled = true
filter = dovecot
logpath = /var/log/mail.log
action = shorewall[name=%(__name__)s]
sendmail-whois-lines[name=%(__name__)s,logpath=%(logpath)s]
====== Asterisk ======
# Fail2Ban configuration file
#
# Author: Ian Samuel
#
# $Id$
#
[Definition]
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching.
# Values: TEXT
#
# [Apr 9 09:53:50] NOTICE[816]: chan_sip.c:15699 handle_request_register: Registration from 'sip:123@siphacker' failed for '192.168.1.200' - No matching peer found
failregex = Registration from '.*' failed for '<HOST>'
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
/etc/fail2ban/jail.local:
[sip]
enabled = true
filter = asterisk
logpath = /var/log/asterisk/messages
port = sip
protocol = udp
action = iptables[name=%(__name__)s, port=%(port)s, protocol=%(protocol)s]
sendmail-whois-lines[name=%(__name__)s,logpath=%(logpath)s]
/etc/asterisk/logger.conf:
[general]
; Customize the display of debug message time stamps
; this example is the ISO 8601 date format (yyyy-mm-dd HH:MM:SS)
; see strftime(3) Linux manual for format specifiers
dateformat=%F %T