Fail2Ban - Httqm's Docs

I don't use this solution anymore and prefer limiting the rate of incoming connections with iptables
Additional arguments against fail2ban (in french)

Concept :

fail2ban is a daemon that watches the log files of some configured services (sshd, httpd, VSFtpd, ...). Thanks to a set of filters, it can detect malicious activity and take some restrictive action (usually banning an IP temporarily).

Setup :

Install fail2ban with your favorite package manager. This creates :
- /etc/fail2ban/filter.d/ : directory containing the log parsing rules / filters
- /etc/fail2ban/action.d : directory containing the actions that can be taken once a malicious activity has been detected
- /etc/fail2ban/jail.conf : configuration of the services being monitored, called jails.
- /etc/fail2ban/fail2ban.conf : logfile, verbosity, socket
- /var/log/fail2ban.log : logs
To configure fail2ban, start with : touch /etc/fail2ban/jail.local

Then edit it (source) :

You can override any parameter from /etc/fail2ban/jail.conf
To disable a jail, don't comment it, just set it as enabled = false
See jail options

[DEFAULT]
ignoreip	= 127.0.0.1 12.34.56.78	# trusted IP addresses
bantime		= 86400				# in seconds. '-1' means 'forever'
destemail	= you@provider.com
banaction	= iptables-multiport
action		= %(action_mwl)s

# JAILS
[ssh]
enabled		= true
maxretry	= 3				# number of matches to trigger a ban
port		= customPortNumber		# if different from default (22)
findtime	= 60				# The match counter is reset if no match is found within "findtime" seconds.

[pam-generic]
enabled		= true
banaction	= iptables-allports

[ssh-ddos]
enabled		= true

[apache]
enabled		= true

[apache-noscript]
enabled		= true
port		= http,https
banaction	= iptables-multiport
action		= %(action_mwl)s

[apache-overflows]
enabled		= true

[apache-badbots]
enabled		= true
port		= http,https
filter		= apache-badbots
banaction	= iptables-allports
action		= %(action_mwl)s
logpath		= /var/log/apache*/*access.log
maxretry	= 1

[apache-nohome]
enabled		= true
port		= http,https
filter		= apache-nohome
banaction	= iptables-multiport
action		= %(action_mwl)s
logpath		= /var/log/apache*/*access.log
maxretry	= 1

[php-url-fopen]
enabled		= true
port		= http,https
filter		= php-url-fopen
logpath		= /var/log/apache*/*access.log
maxretry	= 1

[exim]
enabled		= true
filter		= exim
port		= smtp,ssmtp
logpath		= /var/log/exim*/rejectlog
maxretry	= 1

When you're satisfied with your configuration :
- fail2ban-client start
- or service fail2ban reload
- or any systemd-compliant way of doing this
The fail2ban-client handles the start/stop of the fail2ban-server, so better not trying to start the server yourself (source)

Further commands :

Reload configuration :

fail2ban-client reload

List active jails :

fail2ban-client status

Status of a specific jail :

fail2ban-client status ssh may output :

Status for the jail: ssh
|- filter
|  |- File list:	/var/log/auth.log
|  |- Currently failed:	0
|  `- Total failed:	6
`- action
   |- Currently banned:	0
   |  `- IP list:
   `- Total banned:	1

Reset a specific jail (unban everybody) :

fail2ban-client reload ssh

List current NetFilter rules. They are dynamically added, and removed at restart / reload of fail2ban. Ban rules start with DROP.

iptables -L

Check regex results:

fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/sshd.conf

Unban a specific IP address

iptables -D fail2ban-chainName -s IP -j DROP

After system or fail2ban restart, all ban firewall rules will be cleared.
As it works by watching logs, fail2ban may eat CPU if some of the logs it monitors become too big.