Fail2Ban
Scans log files and check for in appropriate password activities and update and uses firewall (IPTables) to restrict (stop for a period of time) these activities. So fail2ban limits incorrect authorisation attempts, thereby reducing, but not entirely eliminating associated risks and bandwidths. It is primarily used on port and associated services open to the public. DigitalOcean How To Protect an Apache Server with Fail2Ban on Ubuntu 14.04 and How Fail2Ban Works to Protect Services on a Linux Server. Also see the wiki of Fail2Ban on nftables and Fail2ban Add support for nftables #1118 and Add nftables actions #1292.
sudo apt install fail2banto install fail2bansudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.localcopy the main configuration file to a local file to be modified. It is recommended not to change the main file as it is updated with the package.sudo vim /etc/fail2ban/jail.localand adjust the following basic settings:ignoreip = 127.0.0.1/8 ::1 192.168.1.0/24bantime = 60mfindtime = 60mmaxretry = 4
- then adjust each jail to be activated:
[postfix] # To use another modes set filter parameter "mode" in jail.local: enable = true mode = more bantime = 12h port = smtp,465,submission logpath = %(postfix_log)s backend = %(postfix_backend)s[postfix-sasl] enabled = true bantime = 12h filter = postfix[mode=auth] port = smtp,465,submission,imap,imaps,pop3,pop3s # You might consider monitoring /var/log/mail.warn instead if you are # running postfix since it would provide the same log lines at the # "warn" level but overall at the smaller filesize. logpath = %(postfix_log)s backend = %(postfix_backend)s
sudo systemctl restart fail2bansudo systemctl restart fail2banorjournalctl -u fail2ban -xeto check fail2ban start correctlysudo iptables -Sto check iptable