wget http://downloads.sourceforge.net/project/fail2ban/fail2ban-stable/fail2ban-0.8.4/fail2ban-0.8.4.tar.bz2?use_mirror=transact
tar xf fail2ban-0.8.4.tar.bz2
cd fail2ban-0.8.4
su
python setup.py install
cp files/redhat-initd /etc/init.d/fail2ban
su -
chkconfig --add fail2ban
chkconfig fail2ban on
vi /etc/fail2ban/jail.conf

And go through the various sections (eg [ssh-iptables]), and change the ones you want to enabled = true
and change the lines like (/etc/fail2ban/jail.conf):

sendmail-whois[name=SSH, dest=you@mail.com, sender=fail2ban@mail.com]
logpath  = /var/log/sshd.log

to your email address, and a sender that works for you, so if you run example.com you might change to:

sendmail-whois[name=SSH, dest=cameron@example.com, sender=fail2ban@example.com]
logpath  = /var/log/secure

(you have to change the logpath to secure.log)
If you use [sasl-iptables], then change the logpath to /var/log/maillog
And then of course start it (or reboot)

service fail2ban start

you can test the rules with

fail2ban-regex /var/log/secure /etc/fail2ban/filter.d/sshd.conf

The defaults worked fine for me, but you might want to look here for some alternate centos sshd rules.

What doesn’t work for me is a rule to ban attacks on my mail server. More on that when I find a good solution.

Links
http://www.sonoracomm.com/support/18-support/228-fail2ban

Leave a Reply