On my home test server at www.dmpnet.org, I was occasionally having times when someone would hit it hard with a brute force attack on ssh, ftp or pop3 services. I have my box locked down pretty hard and in a DMZ, but thought I needed to do a bit more. I did a bit of research and came across Fail2ban. Fail2ban is a tool which monitors your logs for whatever types of activities that you specify. In my case, after five failed attempts to log into the ftp server, the offending IP address is banned further access using IPtables. You can also configure it to use TCP Wrappers.
There are similar other types of programmes out there and in fact, I had tried Denyhosts at one point. However, Denyhosts is optimised for ssh and I didn't find it straight forward for modifying for other types of services.
The cool thing about this is that it is extremely flexible, yet it is very easily configurable. It took me less than 60 minutes to customise it and if I can do it in that amount of time, then for most real techies, it will probably take a fraction of the time. You can configure all sorts of email alerts, so it sends you a notice saying that an IP address was banned. I think it also has a console window for monitoring, but haven't tried that yet... nor do I really need to as my set up is really simple.
If you don't want to compile it yourself, there are packages for all the major major distros including Ubuntu, Fedora and OpenSUSE.
I have manually tested it and it works... so I'll just have to see how it performs in the real thing.
Comments
First Ban
I had my first ban about 15:00 tonight with someone slamming my FTP server. Worked perfectly.