IPS (Intrusion Prevention Systems)

Fail2Ban

Fail2Ban is a an IPS system that can be configured to monitor basically any service with an authentication mechanism.

• Monitors: Log files for multiple services (SSH, nginx, Apache, etc.)

• Uses "jails": Config blocks that define patterns to detect + actions to take

• Blocks via iptables 

Configuration:

• Global: /etc/fail2ban/fail2ban.conf

• Jails: /etc/fail2ban/jail.conf → override in /etc/fail2ban/jail.local

DenyHosts

Protects SSH servers from brute force password cracking attacks.

• Monitors: /var/log/auth.log or /var/log/secure

• Looks for: Failed SSH login attempts

• Blocks via: /etc/hosts.deny (using TCP Wrappers)

• Automatic banning: After a defined number of failed attempts

• Configuration: /etc/denyhosts.conf