Setting up Fail2ban against brute force attempts

warning: this is obsolete and parsing logs is not exactly the most scalable way to deal with attacks – use the NetBSD Blacklist Daemon instead

warning2: if you really want to go down that road of log-parsing, sshguard is WAY MUCH NICER

E.g. for a Postfix container providing its logs into /data/postfixprod/,

apt install fail2ban

cd /etc/fail2ban/filter.d/
ls -lhF postfix*
vi postfix-auth.conf

before = common.conf

_daemon = postfix/smtpd
failregex = ^%(__prefix_line)slost connection after .*\[<HOST>\]$
ignoreregex =

cd /etc/fail2ban/jail.d/
cat defaults-debian.conf
vi postfixprod.conf

enabled  = true
port     = smtp,ssmtp
filter   = postfix-auth
action   = iptables[name=SMTP-auth, port=smtp, protocol=tcp]
logpath  = /data/postfixprod/mail.log

tail -F /var/log/syslog &
service fail2ban restart


Eventually change the defaults to strenghten it more and eventually avoid no-resolve delays,

cd /etc/fail2ban/
cp -pi jail.conf jail.conf.dist
vi jail.conf

before = paths-debian.conf

ignoreip =
ignorecommand =

#24 hours ban (default 10 minutes)
bantime  = **86400**

# search window 10 minutes (default)
findtime  = 600

# failed attempts (default 3)
maxretry = 5

backend = auto
usedns = **no**

You should now see the new Iptables chains that are going to be maintained automatically (-n to avoid no-resolve delays),

iptables -L -n
iptables -L f2b-SMTP-auth -n
watch iptables -L f2b-SMTP-auth -n