Fail2ban succeeds
News, Technical ·Friday May 10, 2013 @ 18:40 EDT (link)
Fail2ban is a utility written in Python that scans log files and, if it finds authentication or other failures over a given number of attempts, it will ban the host for a specified time.
Fail2ban comes with a number of filters (files defining regular expressions to match in log files, and how to extract information such as the host name or IP address) and actions (such as sending an email notification or adding a ban via iptables). It works pretty well out of the box; I just had to point it at my log files, and configure it to ban attempts in the Postfix (mail) and SSH logs. It is set to email me when it adds bans (status can also be checked via the command-line fail2ban-status tool).
Fail2ban "just works", with minimal configuration; it does what I needed. We were getting a number of SSH attempts, and someone was relaying mail using an apparently-guessed password, even though it was of reasonable strength. This will make it difficult for (non-distributed) password guessing to guess many before being blocked (currently for an hour). I'm seeing a handful of bans a day at this point. Great utility; two thumbs up.