Fail2ban is a service that monitors logfiles to detect potential intrusion attempts and places bans using a variety of methods. In Fedora 20, the default firewall service FirewallD can be used as a ban action.
Setup
First, install Fail2ban and requirements for utilizing FirewallD (This tutorial requires Fail2ban 0.9.0 or higher):
sudo yum install fail2ban ipset
If you wish to have Fail2ban send mail notifications, install these packages as well (sendmail can be used instead of postfix):
sudo yum install postfix whois
If you did not already have postfix (or sendmail) set up, you must enable the service:
sudo systemctl enable postfix sudo systemctl start postfix
Configuration
Fail2ban is configured by the file /etc/fail2ban/jail.conf, but you should not modify this file directly. Instead, create a local configuration file at /etc/fail2ban/jail.local. Here is an example jail.local that will send an email to root when IPs are banned:
[DEFAULT] bantime = 3600 banaction = firewallcmd-ipset backend = systemd sender = fail2ban@example.com destemail = root action = %(action_mwl)s [sshd] enabled = true
bantime
Default time in seconds to ban the possible intruder. Common values are 3600 (1 hour) or 86400 (1 day).
banaction
Configures Fail2ban to use FirewallD as the default ban action.
backend
Configures Fail2ban to use SystemD to monitor logfiles. If you are not using SystemD for logging, you can leave out this option.
sender
Default "sender" email address when sending mail notifications of Fail2ban actions.
destemail
Destination email address for mail notifications.
action
Action to take when a possible intruder is detected. Default is %(action_)s which will only ban the IP. With %(action_mwl)s it will ban the IP and send a mail notification including whois data and log entries. See comments in /etc/fail2ban/jail.conf for more information.
Jails
By enabling the sshd jail, fail2ban will monitor ssh connection attempts for IPs to ban. There are many other jails you can enable as well, such as apache-auth to monitor the HTTPD error log for authentication failures, and jails for authentication to various FTP, IMAP, SMTP and database servers. See /etc/fail2ban/jail.conf for a full list of defined jails, or define your own.
Running the service
Once configured, start the service:
sudo systemctl start fail2ban
And enable it to run on system startup:
sudo systemctl enable fail2ban
Check the status:
systemctl status fail2ban
Check the log file:
sudo tail /var/log/fail2ban.log