Configure fail2ban

Fail2ban scans log files (e.g. /var/log/apache/error_log) and bans IPs that show the malicious signs – too many password failures, seeking for exploits, etc. Generally Fail2Ban is then used to update firewall rules to reject the IP addresses for a specified amount of time, although any arbitrary other action (e.g. sending an email) could also be configured. Out of the box Fail2Ban comes with filters for various services (apache, courier, ssh, etc).

Fail2Ban is able to reduce the rate of incorrect authentications attempts however it cannot eliminate the risk that weak authentication presents. Configure services to use only two factor or public/private authentication mechanisms if you really want to protect services.

Install

apt install fail2ban

Enable

Enable if not enabled during install:

systemctl enable --now fail2ban

Configurations

DROP instead of REJECT

Modify action.d/iptables-common.local:

nano /etc/fail2ban/action.d/iptables-common.local

Append:

[Init]
blocktype = DROP

Reduce log verbosity

Modify fail2ban.local:

nano /etc/fail2ban/fail2ban.local

Append:

[Definition]
loglevel = INFO

Increase times

Modify jail.local:

nano /etc/fail2ban/jail.local

Append:

[DEFAULT]
bantime  = 10m
findtime  = 10m
maxretry = 5

Enable sshd

Modify jail.d/sshd.conf:

nano /etc/fail2ban/jail.d/sshd.conf
[sshd]
enabled=true