Fail2Ban or DenyHosts to block invalid username SSH login attempts












3














Is there a way to automatically block IP address when a user tries to login as any invalid username? I already have:



[ssh]

enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 31536000


in /etc/fail2ban/jail.conf










share|improve this question





























    3














    Is there a way to automatically block IP address when a user tries to login as any invalid username? I already have:



    [ssh]

    enabled = true
    port = ssh
    filter = sshd
    logpath = /var/log/auth.log
    maxretry = 3
    bantime = 31536000


    in /etc/fail2ban/jail.conf










    share|improve this question



























      3












      3








      3







      Is there a way to automatically block IP address when a user tries to login as any invalid username? I already have:



      [ssh]

      enabled = true
      port = ssh
      filter = sshd
      logpath = /var/log/auth.log
      maxretry = 3
      bantime = 31536000


      in /etc/fail2ban/jail.conf










      share|improve this question















      Is there a way to automatically block IP address when a user tries to login as any invalid username? I already have:



      [ssh]

      enabled = true
      port = ssh
      filter = sshd
      logpath = /var/log/auth.log
      maxretry = 3
      bantime = 31536000


      in /etc/fail2ban/jail.conf







      networking security iptables fail2ban






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Oct 25 '15 at 4:51









      JakeGould

      19719




      19719










      asked Mar 20 '13 at 19:05









      slayton1213

      3027




      3027






















          5 Answers
          5






          active

          oldest

          votes


















          4














          I cannot help you with fail2ban, but I am using denyhosts quite successfully for exactly this thing. You can tune quite a lot parameters and it also have a distributed database where you can send and receive other badhosts.



          Here's more detailed howto:



          Install denyhosts package (sudo apt-get install denyhosts)



          Look at the default configuration in /etc/denyhosts.conf, you might be interested in DENY_TRESHOLD_INVALID, DENY_TRESHOLD_VALID and DENY_TRESHOLD_ROOT options.



          As for the sync server it's disabled by default and you will need to enable it by uncommenting SYNC_SERVER option.



          It's also not bad to set PURGE_DENY option to 1w or something like that in case you block-out yourself, so the entry will get purge after one week and you will be able to login again.






          share|improve this answer































            4














            Why not just deny all root logins entirely over SSH, rather than using Fail2Ban or other stuff? By doing that, and denying the use of the root login, you remove the issue of having to block everyone, because even if they guess the root password, it'll deny them login. Regardless of how many times they try.



            In /etc/ssh/sshd_config, find the line containing PermitRootLogin. Edit that with whatever text editor, but make sure you use sudo/gksudo (gksudo only if you're using a GUI text editor). Make that line I mentioned say PermitRootLogin no, then save, and do sudo service ssh restart.



            (This answer was written for the incorrectly-stated initial question. This answer will not be modified to match the revised question, because that's beyond my ability to answer. I may delete THIS answer in future)






            share|improve this answer



















            • 1




              I do have that setting enabled however what I'm attempting to do is remove all unnecessary traffic to the server. I'm attempting to have an IP address banned after 3 attempts from using a wrong username, including root. I have had attempts to login with usernames like harry potter, sally... etc.
              – slayton1213
              Mar 20 '13 at 19:35












            • @slayton1213 Based on your comment, I have revised your question and what it is asking, to be more specific to what your actual goal is. Please confirm I got that right.
              – Thomas Ward
              Mar 20 '13 at 19:41










            • yes this is correct.
              – slayton1213
              Mar 20 '13 at 19:41










            • OK, I can't answer THAT, i only answered the initial question, @slayton1213. I will probably delete this answer in the near future,as a result.
              – Thomas Ward
              Mar 20 '13 at 19:59



















            4














            This is deliberately not supported in fail2ban:




            In other words, invalid users may get 2 attempts while invalid password for valid users get 5 attempts. How can that be done in fail2ban?



            A convincing argument against doing this says that it lets an attacker know whether or not a username is valid, and thus dramatically decreases the search space of a brute-force attack.




            I found your question while trying to do the same thing, but now I've changed my mind. Apart from the secrecy benefit, why save an attacker time by cutting them off early?






            share|improve this answer





























              0














              First, define the filter for invalid users in filter.d/sshd-invaliduser.conf:



              [INCLUDES]
              before = common.conf

              [Definition]
              _daemon = sshd

              failregex = ^%(__prefix_line)s[iI](?:llegal|nvalid) user .*? from <HOST>(?: port d+)?s*$
              ignoreregex =

              [Init]
              journalmatch = _SYSTEMD_UNIT=sshd.service + _COMM=sshd


              Then enable it in jail.local:



              [sshd-invaliduser]
              enabled = true
              maxretry = 1
              port = ssh
              logpath = %(sshd_log)s
              backend = %(sshd_backend)s


              This works with fail2ban 0.9.6-2 on Debian 9.






              share|improve this answer





























                -1














                You can Enhance your security by enable roundcube section
                Roundcube does have captcha plugins available which will mitigate this, but users will complain if they have to type in a captcha to login for mail.



                Fail2ban provides an easy solution for this.



                First up, we need to add roundcube into /etc/fail2ban/jail.conf



                [roundcube]

                enabled = false

                port = http,https

                filter = roundcube

                action = iptables-multiport[name=roundcube, port="http,https"]

                logpath = [YOUR PATH TO ROUNDCUBE HERE]/logs/errors

                maxretry = 5

                findtime = 600

                bantime = 3600


                Change [YOUR PATH TO ROUNDCUBE HERE] in the above to your actual roundcube folder



                eg /home/roundcube/public_html/logs/errors



                Next, we need to create a filter.



                Add /etc/fail2ban/filter.d/roundcube.conf



                [Definition]

                failregex = IMAP Error: Login failed for . from <HOST>(. . in .?/rcube_imap.php on line d+ (S+ S+))?$

                ignoreregex =


                Now we have the basics in place, we need to test out our filter.
                For that, we use fail2ban-regex.



                Enjoy






                share|improve this answer























                • What is the relevance of this to using fail2ban for SSH?
                  – Gert van den Berg
                  Nov 12 at 14:35











                Your Answer








                StackExchange.ready(function() {
                var channelOptions = {
                tags: "".split(" "),
                id: "89"
                };
                initTagRenderer("".split(" "), "".split(" "), channelOptions);

                StackExchange.using("externalEditor", function() {
                // Have to fire editor after snippets, if snippets enabled
                if (StackExchange.settings.snippets.snippetsEnabled) {
                StackExchange.using("snippets", function() {
                createEditor();
                });
                }
                else {
                createEditor();
                }
                });

                function createEditor() {
                StackExchange.prepareEditor({
                heartbeatType: 'answer',
                autoActivateHeartbeat: false,
                convertImagesToLinks: true,
                noModals: true,
                showLowRepImageUploadWarning: true,
                reputationToPostImages: 10,
                bindNavPrevention: true,
                postfix: "",
                imageUploader: {
                brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
                contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
                allowUrls: true
                },
                onDemand: true,
                discardSelector: ".discard-answer"
                ,immediatelyShowMarkdownHelp:true
                });


                }
                });














                draft saved

                draft discarded


















                StackExchange.ready(
                function () {
                StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f270518%2ffail2ban-or-denyhosts-to-block-invalid-username-ssh-login-attempts%23new-answer', 'question_page');
                }
                );

                Post as a guest















                Required, but never shown

























                5 Answers
                5






                active

                oldest

                votes








                5 Answers
                5






                active

                oldest

                votes









                active

                oldest

                votes






                active

                oldest

                votes









                4














                I cannot help you with fail2ban, but I am using denyhosts quite successfully for exactly this thing. You can tune quite a lot parameters and it also have a distributed database where you can send and receive other badhosts.



                Here's more detailed howto:



                Install denyhosts package (sudo apt-get install denyhosts)



                Look at the default configuration in /etc/denyhosts.conf, you might be interested in DENY_TRESHOLD_INVALID, DENY_TRESHOLD_VALID and DENY_TRESHOLD_ROOT options.



                As for the sync server it's disabled by default and you will need to enable it by uncommenting SYNC_SERVER option.



                It's also not bad to set PURGE_DENY option to 1w or something like that in case you block-out yourself, so the entry will get purge after one week and you will be able to login again.






                share|improve this answer




























                  4














                  I cannot help you with fail2ban, but I am using denyhosts quite successfully for exactly this thing. You can tune quite a lot parameters and it also have a distributed database where you can send and receive other badhosts.



                  Here's more detailed howto:



                  Install denyhosts package (sudo apt-get install denyhosts)



                  Look at the default configuration in /etc/denyhosts.conf, you might be interested in DENY_TRESHOLD_INVALID, DENY_TRESHOLD_VALID and DENY_TRESHOLD_ROOT options.



                  As for the sync server it's disabled by default and you will need to enable it by uncommenting SYNC_SERVER option.



                  It's also not bad to set PURGE_DENY option to 1w or something like that in case you block-out yourself, so the entry will get purge after one week and you will be able to login again.






                  share|improve this answer


























                    4












                    4








                    4






                    I cannot help you with fail2ban, but I am using denyhosts quite successfully for exactly this thing. You can tune quite a lot parameters and it also have a distributed database where you can send and receive other badhosts.



                    Here's more detailed howto:



                    Install denyhosts package (sudo apt-get install denyhosts)



                    Look at the default configuration in /etc/denyhosts.conf, you might be interested in DENY_TRESHOLD_INVALID, DENY_TRESHOLD_VALID and DENY_TRESHOLD_ROOT options.



                    As for the sync server it's disabled by default and you will need to enable it by uncommenting SYNC_SERVER option.



                    It's also not bad to set PURGE_DENY option to 1w or something like that in case you block-out yourself, so the entry will get purge after one week and you will be able to login again.






                    share|improve this answer














                    I cannot help you with fail2ban, but I am using denyhosts quite successfully for exactly this thing. You can tune quite a lot parameters and it also have a distributed database where you can send and receive other badhosts.



                    Here's more detailed howto:



                    Install denyhosts package (sudo apt-get install denyhosts)



                    Look at the default configuration in /etc/denyhosts.conf, you might be interested in DENY_TRESHOLD_INVALID, DENY_TRESHOLD_VALID and DENY_TRESHOLD_ROOT options.



                    As for the sync server it's disabled by default and you will need to enable it by uncommenting SYNC_SERVER option.



                    It's also not bad to set PURGE_DENY option to 1w or something like that in case you block-out yourself, so the entry will get purge after one week and you will be able to login again.







                    share|improve this answer














                    share|improve this answer



                    share|improve this answer








                    edited Mar 20 '13 at 21:55

























                    answered Mar 20 '13 at 20:16









                    oerdnj

                    6,8343148




                    6,8343148

























                        4














                        Why not just deny all root logins entirely over SSH, rather than using Fail2Ban or other stuff? By doing that, and denying the use of the root login, you remove the issue of having to block everyone, because even if they guess the root password, it'll deny them login. Regardless of how many times they try.



                        In /etc/ssh/sshd_config, find the line containing PermitRootLogin. Edit that with whatever text editor, but make sure you use sudo/gksudo (gksudo only if you're using a GUI text editor). Make that line I mentioned say PermitRootLogin no, then save, and do sudo service ssh restart.



                        (This answer was written for the incorrectly-stated initial question. This answer will not be modified to match the revised question, because that's beyond my ability to answer. I may delete THIS answer in future)






                        share|improve this answer



















                        • 1




                          I do have that setting enabled however what I'm attempting to do is remove all unnecessary traffic to the server. I'm attempting to have an IP address banned after 3 attempts from using a wrong username, including root. I have had attempts to login with usernames like harry potter, sally... etc.
                          – slayton1213
                          Mar 20 '13 at 19:35












                        • @slayton1213 Based on your comment, I have revised your question and what it is asking, to be more specific to what your actual goal is. Please confirm I got that right.
                          – Thomas Ward
                          Mar 20 '13 at 19:41










                        • yes this is correct.
                          – slayton1213
                          Mar 20 '13 at 19:41










                        • OK, I can't answer THAT, i only answered the initial question, @slayton1213. I will probably delete this answer in the near future,as a result.
                          – Thomas Ward
                          Mar 20 '13 at 19:59
















                        4














                        Why not just deny all root logins entirely over SSH, rather than using Fail2Ban or other stuff? By doing that, and denying the use of the root login, you remove the issue of having to block everyone, because even if they guess the root password, it'll deny them login. Regardless of how many times they try.



                        In /etc/ssh/sshd_config, find the line containing PermitRootLogin. Edit that with whatever text editor, but make sure you use sudo/gksudo (gksudo only if you're using a GUI text editor). Make that line I mentioned say PermitRootLogin no, then save, and do sudo service ssh restart.



                        (This answer was written for the incorrectly-stated initial question. This answer will not be modified to match the revised question, because that's beyond my ability to answer. I may delete THIS answer in future)






                        share|improve this answer



















                        • 1




                          I do have that setting enabled however what I'm attempting to do is remove all unnecessary traffic to the server. I'm attempting to have an IP address banned after 3 attempts from using a wrong username, including root. I have had attempts to login with usernames like harry potter, sally... etc.
                          – slayton1213
                          Mar 20 '13 at 19:35












                        • @slayton1213 Based on your comment, I have revised your question and what it is asking, to be more specific to what your actual goal is. Please confirm I got that right.
                          – Thomas Ward
                          Mar 20 '13 at 19:41










                        • yes this is correct.
                          – slayton1213
                          Mar 20 '13 at 19:41










                        • OK, I can't answer THAT, i only answered the initial question, @slayton1213. I will probably delete this answer in the near future,as a result.
                          – Thomas Ward
                          Mar 20 '13 at 19:59














                        4












                        4








                        4






                        Why not just deny all root logins entirely over SSH, rather than using Fail2Ban or other stuff? By doing that, and denying the use of the root login, you remove the issue of having to block everyone, because even if they guess the root password, it'll deny them login. Regardless of how many times they try.



                        In /etc/ssh/sshd_config, find the line containing PermitRootLogin. Edit that with whatever text editor, but make sure you use sudo/gksudo (gksudo only if you're using a GUI text editor). Make that line I mentioned say PermitRootLogin no, then save, and do sudo service ssh restart.



                        (This answer was written for the incorrectly-stated initial question. This answer will not be modified to match the revised question, because that's beyond my ability to answer. I may delete THIS answer in future)






                        share|improve this answer














                        Why not just deny all root logins entirely over SSH, rather than using Fail2Ban or other stuff? By doing that, and denying the use of the root login, you remove the issue of having to block everyone, because even if they guess the root password, it'll deny them login. Regardless of how many times they try.



                        In /etc/ssh/sshd_config, find the line containing PermitRootLogin. Edit that with whatever text editor, but make sure you use sudo/gksudo (gksudo only if you're using a GUI text editor). Make that line I mentioned say PermitRootLogin no, then save, and do sudo service ssh restart.



                        (This answer was written for the incorrectly-stated initial question. This answer will not be modified to match the revised question, because that's beyond my ability to answer. I may delete THIS answer in future)







                        share|improve this answer














                        share|improve this answer



                        share|improve this answer








                        edited Mar 20 '13 at 19:41

























                        answered Mar 20 '13 at 19:09









                        Thomas Ward

                        43.4k23120172




                        43.4k23120172








                        • 1




                          I do have that setting enabled however what I'm attempting to do is remove all unnecessary traffic to the server. I'm attempting to have an IP address banned after 3 attempts from using a wrong username, including root. I have had attempts to login with usernames like harry potter, sally... etc.
                          – slayton1213
                          Mar 20 '13 at 19:35












                        • @slayton1213 Based on your comment, I have revised your question and what it is asking, to be more specific to what your actual goal is. Please confirm I got that right.
                          – Thomas Ward
                          Mar 20 '13 at 19:41










                        • yes this is correct.
                          – slayton1213
                          Mar 20 '13 at 19:41










                        • OK, I can't answer THAT, i only answered the initial question, @slayton1213. I will probably delete this answer in the near future,as a result.
                          – Thomas Ward
                          Mar 20 '13 at 19:59














                        • 1




                          I do have that setting enabled however what I'm attempting to do is remove all unnecessary traffic to the server. I'm attempting to have an IP address banned after 3 attempts from using a wrong username, including root. I have had attempts to login with usernames like harry potter, sally... etc.
                          – slayton1213
                          Mar 20 '13 at 19:35












                        • @slayton1213 Based on your comment, I have revised your question and what it is asking, to be more specific to what your actual goal is. Please confirm I got that right.
                          – Thomas Ward
                          Mar 20 '13 at 19:41










                        • yes this is correct.
                          – slayton1213
                          Mar 20 '13 at 19:41










                        • OK, I can't answer THAT, i only answered the initial question, @slayton1213. I will probably delete this answer in the near future,as a result.
                          – Thomas Ward
                          Mar 20 '13 at 19:59








                        1




                        1




                        I do have that setting enabled however what I'm attempting to do is remove all unnecessary traffic to the server. I'm attempting to have an IP address banned after 3 attempts from using a wrong username, including root. I have had attempts to login with usernames like harry potter, sally... etc.
                        – slayton1213
                        Mar 20 '13 at 19:35






                        I do have that setting enabled however what I'm attempting to do is remove all unnecessary traffic to the server. I'm attempting to have an IP address banned after 3 attempts from using a wrong username, including root. I have had attempts to login with usernames like harry potter, sally... etc.
                        – slayton1213
                        Mar 20 '13 at 19:35














                        @slayton1213 Based on your comment, I have revised your question and what it is asking, to be more specific to what your actual goal is. Please confirm I got that right.
                        – Thomas Ward
                        Mar 20 '13 at 19:41




                        @slayton1213 Based on your comment, I have revised your question and what it is asking, to be more specific to what your actual goal is. Please confirm I got that right.
                        – Thomas Ward
                        Mar 20 '13 at 19:41












                        yes this is correct.
                        – slayton1213
                        Mar 20 '13 at 19:41




                        yes this is correct.
                        – slayton1213
                        Mar 20 '13 at 19:41












                        OK, I can't answer THAT, i only answered the initial question, @slayton1213. I will probably delete this answer in the near future,as a result.
                        – Thomas Ward
                        Mar 20 '13 at 19:59




                        OK, I can't answer THAT, i only answered the initial question, @slayton1213. I will probably delete this answer in the near future,as a result.
                        – Thomas Ward
                        Mar 20 '13 at 19:59











                        4














                        This is deliberately not supported in fail2ban:




                        In other words, invalid users may get 2 attempts while invalid password for valid users get 5 attempts. How can that be done in fail2ban?



                        A convincing argument against doing this says that it lets an attacker know whether or not a username is valid, and thus dramatically decreases the search space of a brute-force attack.




                        I found your question while trying to do the same thing, but now I've changed my mind. Apart from the secrecy benefit, why save an attacker time by cutting them off early?






                        share|improve this answer


























                          4














                          This is deliberately not supported in fail2ban:




                          In other words, invalid users may get 2 attempts while invalid password for valid users get 5 attempts. How can that be done in fail2ban?



                          A convincing argument against doing this says that it lets an attacker know whether or not a username is valid, and thus dramatically decreases the search space of a brute-force attack.




                          I found your question while trying to do the same thing, but now I've changed my mind. Apart from the secrecy benefit, why save an attacker time by cutting them off early?






                          share|improve this answer
























                            4












                            4








                            4






                            This is deliberately not supported in fail2ban:




                            In other words, invalid users may get 2 attempts while invalid password for valid users get 5 attempts. How can that be done in fail2ban?



                            A convincing argument against doing this says that it lets an attacker know whether or not a username is valid, and thus dramatically decreases the search space of a brute-force attack.




                            I found your question while trying to do the same thing, but now I've changed my mind. Apart from the secrecy benefit, why save an attacker time by cutting them off early?






                            share|improve this answer












                            This is deliberately not supported in fail2ban:




                            In other words, invalid users may get 2 attempts while invalid password for valid users get 5 attempts. How can that be done in fail2ban?



                            A convincing argument against doing this says that it lets an attacker know whether or not a username is valid, and thus dramatically decreases the search space of a brute-force attack.




                            I found your question while trying to do the same thing, but now I've changed my mind. Apart from the secrecy benefit, why save an attacker time by cutting them off early?







                            share|improve this answer












                            share|improve this answer



                            share|improve this answer










                            answered Jun 16 '13 at 11:01









                            supervacuo

                            1534




                            1534























                                0














                                First, define the filter for invalid users in filter.d/sshd-invaliduser.conf:



                                [INCLUDES]
                                before = common.conf

                                [Definition]
                                _daemon = sshd

                                failregex = ^%(__prefix_line)s[iI](?:llegal|nvalid) user .*? from <HOST>(?: port d+)?s*$
                                ignoreregex =

                                [Init]
                                journalmatch = _SYSTEMD_UNIT=sshd.service + _COMM=sshd


                                Then enable it in jail.local:



                                [sshd-invaliduser]
                                enabled = true
                                maxretry = 1
                                port = ssh
                                logpath = %(sshd_log)s
                                backend = %(sshd_backend)s


                                This works with fail2ban 0.9.6-2 on Debian 9.






                                share|improve this answer


























                                  0














                                  First, define the filter for invalid users in filter.d/sshd-invaliduser.conf:



                                  [INCLUDES]
                                  before = common.conf

                                  [Definition]
                                  _daemon = sshd

                                  failregex = ^%(__prefix_line)s[iI](?:llegal|nvalid) user .*? from <HOST>(?: port d+)?s*$
                                  ignoreregex =

                                  [Init]
                                  journalmatch = _SYSTEMD_UNIT=sshd.service + _COMM=sshd


                                  Then enable it in jail.local:



                                  [sshd-invaliduser]
                                  enabled = true
                                  maxretry = 1
                                  port = ssh
                                  logpath = %(sshd_log)s
                                  backend = %(sshd_backend)s


                                  This works with fail2ban 0.9.6-2 on Debian 9.






                                  share|improve this answer
























                                    0












                                    0








                                    0






                                    First, define the filter for invalid users in filter.d/sshd-invaliduser.conf:



                                    [INCLUDES]
                                    before = common.conf

                                    [Definition]
                                    _daemon = sshd

                                    failregex = ^%(__prefix_line)s[iI](?:llegal|nvalid) user .*? from <HOST>(?: port d+)?s*$
                                    ignoreregex =

                                    [Init]
                                    journalmatch = _SYSTEMD_UNIT=sshd.service + _COMM=sshd


                                    Then enable it in jail.local:



                                    [sshd-invaliduser]
                                    enabled = true
                                    maxretry = 1
                                    port = ssh
                                    logpath = %(sshd_log)s
                                    backend = %(sshd_backend)s


                                    This works with fail2ban 0.9.6-2 on Debian 9.






                                    share|improve this answer












                                    First, define the filter for invalid users in filter.d/sshd-invaliduser.conf:



                                    [INCLUDES]
                                    before = common.conf

                                    [Definition]
                                    _daemon = sshd

                                    failregex = ^%(__prefix_line)s[iI](?:llegal|nvalid) user .*? from <HOST>(?: port d+)?s*$
                                    ignoreregex =

                                    [Init]
                                    journalmatch = _SYSTEMD_UNIT=sshd.service + _COMM=sshd


                                    Then enable it in jail.local:



                                    [sshd-invaliduser]
                                    enabled = true
                                    maxretry = 1
                                    port = ssh
                                    logpath = %(sshd_log)s
                                    backend = %(sshd_backend)s


                                    This works with fail2ban 0.9.6-2 on Debian 9.







                                    share|improve this answer












                                    share|improve this answer



                                    share|improve this answer










                                    answered Nov 30 at 10:04









                                    cweiske

                                    2,56012033




                                    2,56012033























                                        -1














                                        You can Enhance your security by enable roundcube section
                                        Roundcube does have captcha plugins available which will mitigate this, but users will complain if they have to type in a captcha to login for mail.



                                        Fail2ban provides an easy solution for this.



                                        First up, we need to add roundcube into /etc/fail2ban/jail.conf



                                        [roundcube]

                                        enabled = false

                                        port = http,https

                                        filter = roundcube

                                        action = iptables-multiport[name=roundcube, port="http,https"]

                                        logpath = [YOUR PATH TO ROUNDCUBE HERE]/logs/errors

                                        maxretry = 5

                                        findtime = 600

                                        bantime = 3600


                                        Change [YOUR PATH TO ROUNDCUBE HERE] in the above to your actual roundcube folder



                                        eg /home/roundcube/public_html/logs/errors



                                        Next, we need to create a filter.



                                        Add /etc/fail2ban/filter.d/roundcube.conf



                                        [Definition]

                                        failregex = IMAP Error: Login failed for . from <HOST>(. . in .?/rcube_imap.php on line d+ (S+ S+))?$

                                        ignoreregex =


                                        Now we have the basics in place, we need to test out our filter.
                                        For that, we use fail2ban-regex.



                                        Enjoy






                                        share|improve this answer























                                        • What is the relevance of this to using fail2ban for SSH?
                                          – Gert van den Berg
                                          Nov 12 at 14:35
















                                        -1














                                        You can Enhance your security by enable roundcube section
                                        Roundcube does have captcha plugins available which will mitigate this, but users will complain if they have to type in a captcha to login for mail.



                                        Fail2ban provides an easy solution for this.



                                        First up, we need to add roundcube into /etc/fail2ban/jail.conf



                                        [roundcube]

                                        enabled = false

                                        port = http,https

                                        filter = roundcube

                                        action = iptables-multiport[name=roundcube, port="http,https"]

                                        logpath = [YOUR PATH TO ROUNDCUBE HERE]/logs/errors

                                        maxretry = 5

                                        findtime = 600

                                        bantime = 3600


                                        Change [YOUR PATH TO ROUNDCUBE HERE] in the above to your actual roundcube folder



                                        eg /home/roundcube/public_html/logs/errors



                                        Next, we need to create a filter.



                                        Add /etc/fail2ban/filter.d/roundcube.conf



                                        [Definition]

                                        failregex = IMAP Error: Login failed for . from <HOST>(. . in .?/rcube_imap.php on line d+ (S+ S+))?$

                                        ignoreregex =


                                        Now we have the basics in place, we need to test out our filter.
                                        For that, we use fail2ban-regex.



                                        Enjoy






                                        share|improve this answer























                                        • What is the relevance of this to using fail2ban for SSH?
                                          – Gert van den Berg
                                          Nov 12 at 14:35














                                        -1












                                        -1








                                        -1






                                        You can Enhance your security by enable roundcube section
                                        Roundcube does have captcha plugins available which will mitigate this, but users will complain if they have to type in a captcha to login for mail.



                                        Fail2ban provides an easy solution for this.



                                        First up, we need to add roundcube into /etc/fail2ban/jail.conf



                                        [roundcube]

                                        enabled = false

                                        port = http,https

                                        filter = roundcube

                                        action = iptables-multiport[name=roundcube, port="http,https"]

                                        logpath = [YOUR PATH TO ROUNDCUBE HERE]/logs/errors

                                        maxretry = 5

                                        findtime = 600

                                        bantime = 3600


                                        Change [YOUR PATH TO ROUNDCUBE HERE] in the above to your actual roundcube folder



                                        eg /home/roundcube/public_html/logs/errors



                                        Next, we need to create a filter.



                                        Add /etc/fail2ban/filter.d/roundcube.conf



                                        [Definition]

                                        failregex = IMAP Error: Login failed for . from <HOST>(. . in .?/rcube_imap.php on line d+ (S+ S+))?$

                                        ignoreregex =


                                        Now we have the basics in place, we need to test out our filter.
                                        For that, we use fail2ban-regex.



                                        Enjoy






                                        share|improve this answer














                                        You can Enhance your security by enable roundcube section
                                        Roundcube does have captcha plugins available which will mitigate this, but users will complain if they have to type in a captcha to login for mail.



                                        Fail2ban provides an easy solution for this.



                                        First up, we need to add roundcube into /etc/fail2ban/jail.conf



                                        [roundcube]

                                        enabled = false

                                        port = http,https

                                        filter = roundcube

                                        action = iptables-multiport[name=roundcube, port="http,https"]

                                        logpath = [YOUR PATH TO ROUNDCUBE HERE]/logs/errors

                                        maxretry = 5

                                        findtime = 600

                                        bantime = 3600


                                        Change [YOUR PATH TO ROUNDCUBE HERE] in the above to your actual roundcube folder



                                        eg /home/roundcube/public_html/logs/errors



                                        Next, we need to create a filter.



                                        Add /etc/fail2ban/filter.d/roundcube.conf



                                        [Definition]

                                        failregex = IMAP Error: Login failed for . from <HOST>(. . in .?/rcube_imap.php on line d+ (S+ S+))?$

                                        ignoreregex =


                                        Now we have the basics in place, we need to test out our filter.
                                        For that, we use fail2ban-regex.



                                        Enjoy







                                        share|improve this answer














                                        share|improve this answer



                                        share|improve this answer








                                        edited Oct 25 '15 at 7:53









                                        mchid

                                        22.6k25084




                                        22.6k25084










                                        answered Apr 30 '15 at 4:37







                                        user402960



















                                        • What is the relevance of this to using fail2ban for SSH?
                                          – Gert van den Berg
                                          Nov 12 at 14:35


















                                        • What is the relevance of this to using fail2ban for SSH?
                                          – Gert van den Berg
                                          Nov 12 at 14:35
















                                        What is the relevance of this to using fail2ban for SSH?
                                        – Gert van den Berg
                                        Nov 12 at 14:35




                                        What is the relevance of this to using fail2ban for SSH?
                                        – Gert van den Berg
                                        Nov 12 at 14:35


















                                        draft saved

                                        draft discarded




















































                                        Thanks for contributing an answer to Ask Ubuntu!


                                        • Please be sure to answer the question. Provide details and share your research!

                                        But avoid



                                        • Asking for help, clarification, or responding to other answers.

                                        • Making statements based on opinion; back them up with references or personal experience.


                                        To learn more, see our tips on writing great answers.





                                        Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


                                        Please pay close attention to the following guidance:


                                        • Please be sure to answer the question. Provide details and share your research!

                                        But avoid



                                        • Asking for help, clarification, or responding to other answers.

                                        • Making statements based on opinion; back them up with references or personal experience.


                                        To learn more, see our tips on writing great answers.




                                        draft saved


                                        draft discarded














                                        StackExchange.ready(
                                        function () {
                                        StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f270518%2ffail2ban-or-denyhosts-to-block-invalid-username-ssh-login-attempts%23new-answer', 'question_page');
                                        }
                                        );

                                        Post as a guest















                                        Required, but never shown





















































                                        Required, but never shown














                                        Required, but never shown












                                        Required, but never shown







                                        Required, but never shown

































                                        Required, but never shown














                                        Required, but never shown












                                        Required, but never shown







                                        Required, but never shown







                                        Popular posts from this blog

                                        How to change which sound is reproduced for terminal bell?

                                        Title Spacing in Bjornstrup Chapter, Removing Chapter Number From Contents

                                        Can I use Tabulator js library in my java Spring + Thymeleaf project?