[CentOS] Looking for recommendations for blockinghacking attempts

Thu Jul 9 16:20:11 UTC 2009
Manuel Monteiro <Manuel.Monteiro at astro.up.pt>

Neil Aggarwal wrote:
> It looks like BLOCK_SERVICE tells what to block once the
> offender has been identified.
> What I am talking about is the process of identifying the
> offender in the first place. It looks like only a failed SSH
> login attempt will cause someone to be blocked.  If they
> try to attack another service (pop3s for example), 
> DenyHosts will not block them.
I've been using fail2ban for more than a year now. For now I only use it 
to monitor SSH.
Fail2ban monitors log files (/var/log/secure for SSH) and if the 
authentication fails more than x times (3 for me) uses iptables to block 
(ban) that particular IP address during xxxx seconds (1h for me). Bans 
are logged identifying the IP address of the attacker.

Fail2ban also works (or almost) "out of the box" with proftpd / sasl / 
vsftpd among others.

It's possible to configure fail2ban to monitor other software/services 
such as dovecot.

Look at fail2ban homepage for more info. You may find a nice article at