Stopping Brute Force SSH Attacks with fail2ban
Feb 10, 2006
I noticed a lot of network and forking activity while using my computer last week, thanks to GKrellM I checked around and noticed a constant series of hits in my auth.log from someone trying common names to login via SSH. I blocked the offender, but from looking through the log, this happened quite often and, though I have very strong passwords, this was very annoying to me to see all that crap in the logs. I searched around and found a daemon called fail2ban that simply watches the logs and blocks hosts who have more than a specified number of failed login attempts. It’s in the Debian repositories, so just apt-get install fail2ban and then configure it in /etc/fail2ban.conf.
I also saw some cool tips on the CLUG Wiki.