One thing that surprised me (well shocked me to be honest) after bringing this little site on line was waking up in the morning to find my server access logs had grown by megabytes over night. Closer inspection showed a small number of highly aggressive bots hitting web, mail and sshd servers. One bot alone tried many thousands of user/pass combinations on the email server, firing off up to fifty incoming threads at a time. Presumably it would have tried more but 50 was the server configuration limit.
So I decided to install fail2ban. By default fail2ban only has one rule enabled checking sshd but comes with predefined failure checking filters for most popular server software (web, email ftp etc) and example templates in the configuration file to enable logging of anything else desired. You can set how many failures per time interval are needed to trigger a ban and how long the ban will last. You can choose to ban the user only from that protocol or from all IP access. fail2ban creates rules in the firewall to implement the block.
Well, since turning on monitoring of attempted web, sshd, ftp and email intrusions I’ve been able to get up the next day without finding the odd 10 thousand attempted break-ins. So, so far, so good (touch wood) and I can recommend fail2ban to anyone running any servers with incoming ports open to the Internet.
If you want to be more pro-active there’s a good article “Fail2ban setup for Apache” which shows how to block the bots as soon as they simply scan the site looking for vulnerabilities.
Hopefully that’s me done with the bots for now. Will see how it goes.