## install
$ sudo yum install failban (EPEL) | sudo apt-get install fail2ban
## configure fail2bain, in '/etc/fail2ban/jail.conf'
$ cat /etc/fail2ban/jail.conf
...
# 1 - generic configuration
# "bantime" is the number of seconds that a host is banned
bantime = 600
# ip addresses that should be excluded from fail2ban rules
ignoreip = 127.0.0.1/8
# A host is banned if it has generated "maxretry" during the last "findtime" seconds.
findtime = 600
maxretry = 3
...
# 2 - define ban actions
# config file in '/etc/fail2ban/action.d' used when ban is needed; default uses iptables to ban an IP on all ports when it fails authentication
banaction = iptables-multiport
# calls banaction script; default is 'action_' which passes the name, port, protocol, and chain to the script; other values are 'action_mw' to ban and send an e-mail
action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%($
action = %(action_)s
# 3 - application-specific jails
[ssh]
enabled = true
port = ssh
# file in '/etc/fail2ban/filter.d' telling how to parse the log file, see failregex in '/etc/fail2ban/filter.d/sshd.conf'
filter = sshd
# what files to parse for failures
logpath = /var/log/auth.log
## configure firewall, iptables in our case
$ cat /etc/fail2ban/action.d/iptables-multiport.conf
...
# commands executed when fail2ban starts and stop; it creates a new chain for given port (see above)
actionstart/actionstop = ...
# commands executed when banning and unbanning an ip; basically drops the packet
actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
actionunban = iptables -D fail2ban-<name> -s <ip> -j <blocktype>
$ sudo service fail2ban restart
$ sudo iptables -L
Chain INPUT (policy ACCEPT)
fail2ban-ssh tcp -- anywhere anywhere multiport dports ssh
...
Chain fail2ban-ssh (1 references)
DROP all -- xxx-xxxxxxxx.dyn.xxxxxxxxx.net anywhere
RETURN all -- anywhere anywhere
from How To Protect SSH with fail2ban on Debian 7
# enable predefined Apache jails, if not already enabled
$ cat /etc/fail2ban/jail.conf
# detect password authentication failures
[apache]
enabled = true
...
[apache-multiport]
enabled = true
...
# uses default action, otherwise set
$ cat /etc/fail2ban/jail.conf
[DEFAULT]
banaction = iptables-multiport
$ sudo systemctl restart fail2ban | sudo service fail2ban restart
# check and manage Fail2ban banning status
$ sudo fail2ban-client status
# ban/unban a given IP address
$ sudo fail2ban-client set [name-of-jail] banip [ip-address]
from How to configure fail2ban to protect Apache HTTP server
Same but for asterisk both with and without Asterisk Security Framework (Asterisk 10+)
$ cat /etc/fail2ban/filter.d/asterisk.conf
[Definition]
# regex to match the password failures messages in the logfile. The host must be matched by a group named "host".
# The tag "<HOST>" can be used for standard IP/hostname matching and is only an alias for (?:::f{4,6}:)?(?P<host>S+)
# without asterisk security framework
#failregex = SECURITY.* SecurityEvent="FailedACL".*RemoteAddress=".+?/.+?/<HOST>/.+?".*
SECURITY.* SecurityEvent="InvalidAccountID".*RemoteAddress=".+?/.+?/<HOST>/.+?".*
SECURITY.* SecurityEvent="ChallengeResponseFailed".*RemoteAddress=".+?/.+?/<HOST>/.+?".*
SECURITY.* SecurityEvent="InvalidPassword".*RemoteAddress=".+?/.+?/<HOST>/.+?".*
# with asterisk security framework
failregex = SECURITY.* SecurityEvent="FailedACL".*RemoteAddress=".+?/.+?/<HOST>/.+?".*
SECURITY.* SecurityEvent="InvalidAccountID".*RemoteAddress=".+?/.+?/<HOST>/.+?".*
SECURITY.* SecurityEvent="ChallengeResponseFailed".*RemoteAddress=".+?/.+?/<HOST>/.+?".*
SECURITY.* SecurityEvent="InvalidPassword".*RemoteAddress=".+?/.+?/<HOST>/.+?".*
# regex to ignore. If this regex matches, the line is ignored.
ignoreregex =
$ cat /etc/fail2ban/jail.conf
[asterisk-iptables]
enabled = true
filter = asterisk
action = iptables-allports[name=ASTERISK, protocol=all]
sendmail-whois[name=ASTERISK, dest=root, sender=fail2ban@example.org]
# without asterisk security framework
#logpath = /var/log/asterisk/messages
# with asterisk security framework
logpath = /var/log/asterisk/security
# cat /etc/fail2ban/jail.conf
[DEFAULT]
ignoreip=<your_ip_address>
$ cat /etc/asterisk/logger.conf
[general]
dateformat=%F %T
$ service iptables start; service fail2ban start
$ iptables -L -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
2104K 414M fail2ban-ASTERISK all — any any anywhere anywhere
from Fail2Ban (with iptables) and asterisk