Fail2ban

The fail2ban service scans log files for patterns of specific repeated attempts (for instance, unsuccessful SSH authentication attempts or high volume GET/POST requests on a web server) and, when detected, automatically creates a firewall or TCP wrappers drop or deny rule to ensure the service availability is not jeopardized.

Although the service supports many services out-of-the-box, it is very versatile in its configuration and can easily be enhanced.

Jailing
The primary purpose of fail2ban is to jail services. When a service, such as SSHd, is jailed, then fail2ban will continuously look in the log(s) of that service for possible repeated attempts. The moment that a given number of attempts is detected within a particular time window  then a blocking rule (such as through iptables) is automatically set for a given time period.

The settings of these jails is done through. By default, fail2ban already provides a nice  file, but all jails are by default disabled so that the service, when started by the administrator, wouldn't accidentally filter out valid requests.

Filter expressions
Inside  various filtering definitions can be created. Generally, these files contain regular expressions that match attempts. When a regular expression is matched on a file, then the counter for that jail and the offending host is increased.

Actions
Inside  various action definitions can be created. These files contain commands to execute to ban and unban a given host. By default, rules exist for iptables, tcpwrappers, shorewall and more.

Log scanning
The fail2ban service supports both file polling as well as gamin support; when is installed and the user did not change the   directive, then gamin will be used, otherwise polling is done. This can of course be configured in.

Installation
Installing is as simple as:

At the time of writing, no USE flags are to be set (the SELinux USE flag is not selectable and is for use by SELinux-enabled systems). If you want to use gamin, install too.

Configuration
To configure fail2ban, go to.

Start with  as that contains which rules you want to use (and which services to control). If necessary, you can create your own filters or actions.