Fail2ban protects computers from brute-force attacks like password guessing and exploit scanning. Fail2ban monitors the system's log files for malicious incoming activity. If detected, fail2ban can ban the IP, e-mail a notification, or any other arbitrary action. Note that fail2ban is weak against DDoS attacks since it identifies activity by IP address, unless the individual IPs involved happen to trigger fail2ban on their own.

Fail2Ban Setup

Main Configuration

/etc/fail2ban/jail.local

[DEFAULT]
bantime         = 1d
destemail       = root@bwt.com.de
sender          = fail2ban@bwt.com.de
action          = %(action_mwl)s

SSHD Configuration

/etc/fail2ban/jail.d/sshd.local

[sshd]
enabled         = true
filter          = sshd
banaction       = iptables
backend         = systemd
maxretry        = 5
findtime        = 1d
bantime         = 2w
ignoreip        = 127.0.0.1/8

Postfix-ISPmail Configuration

/etc/fail2ban/jail.d/postfix-ispmail.local

[postfix-ispmail]
enabled         = true
filter          = postfix
port            = smtp,submission
banaction       = iptables
backend         = systemd
maxretry        = 5
findtime        = 1d
bantime         = 2w
ignoreip        = 192.99.246.231/32

/etc/fail2ban/filter.d/postfix-ispmail.conf

[INCLUDES]
before = common.conf

[Definition]
_daemon = postfix(-\w+)?/(?:submission/|smtps/)?smtp[ds]
failregex = ^%(__prefix_line)slost connection after AUTH from \S+\[<HOST>\]$
ignoreregex =

[Init]
journalmatch = _SYSTEMD_UNIT=postfix.service