====== basic fail2ban setup ====== To install fail2ban type apt-get install fail2ban Fail2Ban should be correctly installed now. Just type: fail2ban-client -h to see if everything is all right.  You should always use fail2ban-client and never call fail2ban-server directly. ===== fail2ban for postfix/ssh ===== Now edit jail.conf, which contains the declaration of your jails. Set enabled = true in sections ''[sshd]'', ''[postfix]'', and ''[sasl]''. Finally reload rules with fail2ban-client reload ===== fail2ban for Nginx ===== Scanning in search of broken script is quite frequent. My nginx ''error.log'' file is full of (IP obfuscated): 2014/05/28 21:59:00 [error] 17394#0: *105 open() "/var/www/mailing/www/admin/images/rn_logo.gif" failed (2: No such file or directory), client: 1.2.3.4, server: XYZ, request: "GET /admin/images/rn_logo.gif HTTP/1.1", host: "XYZ" 2014/05/28 21:59:00 [error] 17394#0: *105 open() "/var/www/mailing/www/vncviewer.jar" failed (2: No such file or directory), client: 1.2.3.4, server: XYZ, request: "GET /vncviewer.jar HTTP/1.1", host: "XYZ" 2014/05/28 21:59:01 [error] 17393#0: *111 "/var/www/mailing/www/Q_Evasive/index.php" is not found (2: No such file or directory), client: 1.2.3.4, server: XYZ, request: "GET /Q_Evasive/ HTTP/1.1", host: "XYZ" 2014/05/28 21:59:01 [error] 17393#0: *109 open() "/var/www/mailing/www/formmail.html" failed (2: No such file or directory), client: 1.2.3.4, server: XYZ, request: "GET /formmail.html HTTP/1.0", host: "XYZ" Create new filter /etc/fail2ban/filter.d/nginx-scan.conf # Fail2Ban configuration file for nginx # Author: Emanuele Goldoni # $Revision: 1 $ [Definition] # Option: failregex # Notes.: Regexp to catch a generic call from an IP address. # Values: TEXT # failregex = ^.*failed.*client\:\ \,.*"(GET|POST|HEAD).*HTTP.*"$ # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # ignoreregex = You can test the newly created rules with fail2ban-regex /var/log/nginx/*-error.log /etc/fail2ban/filter.d/nginx-scan.conf In our jail.local, we have (at the end of the file): [nginx-scan] # Based on apache-badbots but a simple IP check (any IP requesting more than # 240 pages in 60 seconds, or 4p/s average, is suspicious) # Block for two full days. # @author Yannick Warnier enabled = true port = http filter = nginx-scan logpath = /var/log/nginx/*-error.log findtime = 60 bantime = 172800 maxretry = 240 Remember to reload rules with fail2ban-client reload More advanced filters for Nginx available at [1]. [1] [[http://serverfault.com/questions/420895/how-to-use-fail2ban-for-nginx]]