Fail2ban has been an important security tool I’ve been using in my servers for many years. However sometimes is difficult to configure, lacks certain features and can consume too many resources.
Recently I’ve switched to Reaction, a new tool with the same philosophy: monitor logs and execute some actions based on log matches. Reaction is written in Rust, so it’s fast and resource efficient.
[Read More]With the recent release of fail2ban 0.9 there are very important improvements to the journal and firewalld integration. With these simple configurations, I get fail2ban working in Fedora 20 without a syslog daemon and avoiding being DOSed by a local user.
/etc/fail2ban/fail2ban.local
[Definition]
loglevel = INFO
logtarget = SYSLOG
In /etc/fail2ban/jail.local we set the backend to systemd, so we monitor directly the journal, we also choose as default action firewallcmd-ipset, so the rules are inserted with firewall-cmd and use the ipset facility. Finally, all the jails needed are enabled.
[DEFAULT]
backend = systemd
banaction = firewallcmd-ipset
bantime = 3600
[sshd]
enabled = true
[postfix]
enabled = true
[dovecot]
enabled = true
Note (October 20 2014): This post is outdated, please, refer to the post fail2ban 0.9 for more up to date information.
fail2ban is a handy daemon that monitors the log files to identify connection attempts and other kind of attacks and ban those IPs for a certain period of time.
Currently, fail2ban upstream is adding support to firewalld and the use of ipset, so some modifications are needed at the stock config.
First of all, install the needed packages, I add rsyslog because it’s not included in the default Fedora 20 installation and it’s needed to generate /var/log/secure. I hope fail2ban will support some day querying the journal directly.