So, I was figuring, because of all the brute force attacks on my servers that I would bother to install fail2ban. Something even better than this would be to change the port your SSH runs on..
Step 1. Install Fail2ban
Ubuntu and Debian Systems
apt-get install fail2ban
Redhat, Fedora and CentOS based Systems
yum install fail2ban
Step 2. Copy the reference config file and edit it in Vi (or nano)
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local vi /etc/fail2ban/jail.local
Step 3. Configure bantime (default 600seconds), and the max_retry (3 attempts).
# "bantime" is the number of seconds that a host is banned. bantime = 600 maxretry = 3
By default fail2ban starts banning people on SSH immediately, but I found it was also possible to configure fail2ban to block ip addresses attempting to brute force hack my email accounts, here is how I did it.
[sasl] enabled = false port = smtp,ssmtp,submission,imap2,imap3,imaps,pop3,pop3s filter = postfix-sasl # You might consider monitoring /var/log/mail.warn instead if you are # running postfix since it would provide the same log lines at the # "warn" level but overall at the smaller filesize. logpath = /var/log/mail.log
It’s possible to alter this configuration but for most people the logpath for SSH is auth.log
[ssh] enabled = true port = ssh filter = sshd logpath = /var/log/auth.log maxretry = 6
Step 4: Restart the Fail2ban service
# most init.d based systems /etc/init.d/fail2ban restart # some systemD systems service fail2ban restart