I'm sending the log files from my Rackspace Cloud Servers to loggly, as I described in a previous post. Take a look at this graph from the loggly dashboard:
Someone is trying to break into my server by attacking ssh with many login attempts in a short period of time. Looks like I need to install fail2ban. fail2ban will keep an eye on my log files and set up iptables rules after a configurable number of failed attempts. It will also remove the rules after a specified period of time.
apt-get install fail2ban
Configure /etc/fail2ban/jail.local appropriately. On Ubuntu 11.04, this was changing the
logpath = /var/log/auth.log
logpath = /var/log/messages
service fail2ban restart I test it from a different server and it works:
From the original server you can see fail2ban added the iptables rule:
And after 5 minutes, I'm allowed back in:
I should see a big drop in login attempts over the next few days.