Advanced Policy Firewall and Fail2ban SSH Jails
I use APF to control IPTables and recently had to setup a server listening on the default SSH port so I had to install additional security to safe guard my SSH port.
Fail2ban scans log files for failures and bans IPs that show too many password failures or other dodgy traites. Fail2Ban can update the firewall to include these IP's in a deny list
Fail2Ban is able to reduce the rate of incorrect authentications attempts however it cannot eliminate the risk that weak authentication presents. Configure services to use only two factor or public/private authentication mechanisms if you really want to protect services.
Fail2Ban comes with many configurations known as Jails. You can view all the jails in
For use with APF I will be disabling the normal SSH-IPTables jail
[ssh-iptables] enabled = false filter = sshd action = iptables[name=SSH, port=ssh, protocol=tcp] sendmail-whois[name=SSH, firstname.lastname@example.org, email@example.com, sendername="Fail2Ban"] logpath = /var/log/secure maxretry = 5
and enabling the APF variant
[ssh-apf] enabled = true filter = sshd action = apf[name=SSH] logpath = /var/log/secure maxretry = 5
This will change the way fail2ban bans IP addresses by using the
apf -d function rather than directly putting into IPTables
You can check the current status of the jail with
[root@srv0 ~]# fail2ban-client -i Fail2Ban v0.8.14 reads log file that contains password failure report and bans the corresponding IP addresses using firewall rules. fail2ban> status ssh-apf Status for the jail: ssh-apf |- filter | |- File list: /var/log/secure | |- Currently failed: 0 | `- Total failed: 83187 `- action |- Currently banned: 0 | `- IP list: `- Total banned: 1045
Banning all the chinabotz!
You can look up full list of commands to use with fail2ban-client here http://www.fail2ban.org/wiki/index.php/Commands