HOWTO Setup fail2ban
emerge -v fail2ban emacs -nw /etc/fail2ban/jail.conf
scroll to section "[ssh-iptables]" and enable it and find the line that says:
logpath = /var/log/sshd.log
and change it to (Gentoo):
logpath = /var/log/auth.log
###backend = auto backend = gamin
Comment out the "mail-whois" actions.
root@hostname ~ # /etc/init.d/fail2ban start * Starting fail2ban
root@hostname ~ # rc-update add fail2ban default * fail2ban added to runlevel default
Check the log file:
# tail /var/log/fail2ban.log
and
# tail -f /var/log/fail2ban.log
Check Iptables:
# iptables -L
Example output, for a web-server (port 80 open), with SSH and FTP services too:
Chain INPUT (policy DROP) target prot opt source destination fail2ban-VSFTPD tcp -- anywhere anywhere tcp dpt:ftp fail2ban-SSH tcp -- anywhere anywhere tcp dpt:ssh ACCEPT all -- anywhere anywhere DROP all -- anywhere anywhere state INVALID ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ftp-data ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ftp ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http Chain FORWARD (policy DROP) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED Chain fail2ban-SSH (1 references) target prot opt source destination DROP all -- sr-01504.iat.sfu.ca anywhere RETURN all -- anywhere anywhere Chain fail2ban-VSFTPD (1 references) target prot opt source destination RETURN all -- anywhere anywhere