Setting up fail2ban to defend against SSH brute force attacks on vectorlinux

[faileas]

Fail2ban is a nice little script that blocks attempts to break into a system by brute force attacks by monitoring

Firstly, you'll be using a package from slackware - if this scares you, the rest of this is probably not for you. Once i work out how to package things, i'll see if i can compile a package for vectorlinux and support it- the version there is one less than the latest anyway.

1) get the slackware fail2ban package
2) install it with installpkg <nameofpackage>
3) since vector dosen't use /var/log/auth.log (which fail2ban assumes)you'll need to tell fail2ban where to look- the best way to do that is to create a jail.local file at /etc/fail2ban/jail.local- this or the client are the best way to adjust your settings.

Code:

[DEFAULT]

# "ignoreip" can be an IP address, a CIDR mask or a DNS host
ignoreip = 127.0.0.1 192.168.0.99
bantime  = 600
maxretry = 3

# "backend" specifies the backend used to get files modification. Available
# options are "gamin", "polling" and "auto".
# yoh: For some reason Debian shipped python-gamin didn't work as expected
#      This issue left ToDo, so polling is default backend for now
backend = polling

#
# Destination email address used solely for the interpolations in
# jail.{conf,local} configuration files.
destemail = root@localhost

# Default action to take: ban only
action = iptables[name=%(__name__)s, port=%(port)s]

[ssh]

enabled = true
port    = ssh
filter  = sshd
logpath  = /var/log/messages
maxretry = 3
action =  iptables-allports
bantime = 604800

You'll of course want to make some changes - you'd likely want to change ignoreip to reflect ip addresses that are definately yours.
the last part though is the important part - I've used the filter 'sshd' (filters are in /etc/fail2ban/filters.d) and the action 'iptables-allports' - the first is a set of regular expressions that are meant to block ssh attacks, and the second blocks ALL ports to attacking systems - as far as they are concerned you are 'down'. Bantime, i've set for a week - its in seconds. And of course, logpath - which is where your log file is.

once this is done, start fail2ban with fail2ban-client start (or if its up fail2ban-client reload) then fail2ban-client start ssh . There's other options of course- once its started you can add regexes via the client, and do most other admin things. You can also use it for other programmes in a similar way

[faileas]

Since i now seem to have had the hang of packaging (whoot!), I've thrown together a package for vector linux for fail2ban. I'm still testing it (since log locations are different with VL and what fail2ban expects) but it mostly seems to work other than two minor warnings. This version *only* has rules for ssh enabled (which is one more than the official slackware build), and will work as long as you use iptables, which is a default anyway.

You can add your own rules, or edit the current ones with by making a jail.local file similar to the first example. For advanced users, the fail2ban website should get you started.