Fail2ban scans log files (e.g. /var/log/apache/error_log) and bans IPs that show the malicious signs -- too many password failures, seeking for exploits, etc. Generally Fail2Ban is then used to update firewall rules to reject the IP addresses for a specified amount of time, although any arbitrary other action (e.g. sending an email) could also be configured. Out of the box Fail2Ban comes with filters for various services (apache, courier, ssh, etc).
$ sudo apt install fail2ban
$ sudo systemctl start fail2ban
$ sudo systemctl enable fail2banIn the /etc/fail2ban directory, you'll find the jail.conf file. Do not edit this file. Instead, we'll create a new file, jail.local, which will override any similar settings in jail.conf.
$ sudo nano /etc/fail2ban/jail.localIn this new file, paste the following contents to protect ssh.
[sshd]
enabled = true
port = 22
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
To enable log monitoring for Nginx login attempts, we will enable the [nginx-http-auth] jail. Edit the enabled directive within this section so that it reads “true”:
[nginx-http-auth]
enabled = true
filter = nginx-http-auth
port = http,https
logpath = /var/log/nginx/error.log
...
Save and close the file. Restart fail2ban with the command.
$ sudo systemctl restart fail2ban$ sudo fail2ban-client set sshd unbanip <ip>[DEFAULT]
ignoreip = 127.0.0.1/8 <ip>