It runs a as a service on the background so it provides real time log supervision and it can check not only for ssh failed attempts but SMTP, HTTP, and others.
Here I will just explain how to make it check for failed ssh attempts on a fedora box.
from the command line type:
Server:# yum install fail2ban
This will install all the modules and software needed to install and run fail2ban.
Once installed it places the configuration file in /etc/fail2ban.conf
The with your favorite editor you can edit this file. It is well documentend and it needs little explanation how it works, but I'll give you the basic to block unwanted ssh access
[DEFAULT]
maxfailures = number of failures before IP gets banned. Defaults to 5. but you can set this value to whatever numer you would like
bantime = number of seconds an IP will be banned. If set to a negative value, IP will never be unbanned (permanent banning). Defaults to 600 (10 min).
ignoreip = space separated list of IP’s to be ignored by fail2ban. No default. here you can add you own IP address just to avoid getting blocked just in case you forget your password
then you can go to the ssh section and set enabled to true and add the corresponding value for the logfile variable
[SSH]
enabled = true
logfile = /var/log/secure
port = ssh
timeregex = S{3}s{1,2}d{1,2} d{2}:d{2}:d{2}
timepattern = %%b %%d %%H:%%M:%%S
failregex = : (?:(?:Authentication failure|Failed [-/w+]+) for(?: [iI](?:llegal|nvalid) user)?|[Ii](?:llegal|nvalid) user|ROOT LOGIN REFUSED) .*(?: from|FROM) (?:::f{4,6}:)?(?PS*)
The fail2ban log can be found at /var/log/fail2ban.log unless you specify another location.I hope this helps you to solve your security problem
