Tonight I added fail2ban to one of my webservers to test it out. Here is my step by step, as best as I could figure it out...documentation a bit sketchy. feel free to add anything to it or suggest changes. I tried to set it up to deal with ssh, http authentication, dovecot, ftp, and postfix I could find no working example for centos 6 and there is no fail2ban book available to peruse. So, just winging it.... I used the EPEL repo and it needed the following packages to work correctly I do not use priorities, but I add things by using includepkgs= in the repo file. fail2ban shorewall python-inotify gamin-python (logging) although fail2ban adds a logrotate file for fail2ban.log, it logs everything to the /var/log/messages file so I changed /etc/fail2ban/fal2ban.conf line 25 logtarget = /var/log/fail2ban.log Perhaps overlooked by the rpm developer? /etc.fail2ban/jail.conf In all sections I commented out the mailto section since it just sends a ton of mails when start/stopped...yikes. Not sure if there is a setting only for errors or actions...but the start/stop mails are too annoying. Will use logwatch daily to check on it. line 16, added a space then my server ip address 123.123.123.123 (example ip address, not real) ignoreip = 127.0.0.1 123.456.789.123 SSH section line 48 enabled=true line 50, changed to my port number commented out the mailto section sasl section (for postfix) line 68 enabled=true backend = polling (I left this but have no idea if I should or not) line 71, 'rewrote it to' action = iptables-multiport[name=POSTFIX, port="25,465,993,995", protocol=tcp] this blocks all mail ports when someone tries and fails at least I think it does....? :) Apache (this was tough since many online sources says it will not work, but will test and see) [apache-tcpwrapper] enabled = true filter = apache-auth action = iptables-multiport[name=ApacheAuth, port=80,443, protocol=tcp] logpath = /var/log/httpd/*error_log maxretry = 4 Several docs suggest tcpwrapper and centos are a no go, and that this will not work...trying it anyway All the http stuff is not set up for centos, its default is to look for /var/log/apache so this was not set up at all by the rpm dev...at least not the working examples in the jail.conf file. added this to the bottom (and a new file must be created to work with it) [Dovecot] enabled = true filter = dovecot maxretry = 5 action = iptables-multiport[name=DOVECOT, port="25,465,993,995", protocol=tcp] logpath = /var/log/maillog (again, I added all mail ports in case of a hacker) New file added /etc/fail2ban/filter.d/ new file dovecot.conf [Definition] # Option: failregex # Notes.: regex to match the password failures messages in the logfile. The # host must be matched by a group named "host". The tag "<HOST>" can # be used for standard IP/hostname matching. # Values: TEXT # failregex = (?: pop3-login|imap-login): (?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed).*rip=(?P<host>\S*),.* # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # ignoreregex = service fail2ban start chkconfig fail2ban on service iptables restart (not sure if you have to or not with each fail2ban restart)