About fail2ban
We install fail2ban on all our cloud hosted servers. It will constantly monitor log files and is triggered by filters in nominated in the config files. By default we monitor ssh and turbovnc. It is set up to block an IP for one week (the whole IP, not just the port they entered) after the wrong password is entered 5 times in 10 minutes. This means that if someone try to guess ssh password and gets it wrong 5 times, all the ports, including web and vnc, is blocked for a week. Some servers we customise these values. The settings are in
/etc/fail2ban/jail.local
here are some important values:
bantime = 604800 ; One week findtime = 600 ; if maxretry wrong password is entered in this time period it is considered an intrusion. maxretry = 5 [turbovnc] logpath = /u/*/usr/*/.vnc/*.log ; location of vnc log files enabled = true maxretry = 3 ; override default banaction = %(banaction_allports)s
the following is the filter file for turbovnc in /etc/fail2ban/filter.d/turbovnc.conf
# Fail2Ban filter for failure attempts in TurboVNC # # [Definition] failregex = rfbVncAuthProcessResponse: authentication failed from <HOST> ignoreregex = [Init] #datepattern = %%d/%%m/%%Y %%H:%%M:%%S #%Y-%m-%d %H:%M(?::%S)?. # Author: Jon Co #23/03/2019 01:40:01 rfbVncAuthProcessResponse: authentication failed from 212.83.172.140
The above filter is tested to work with our custom compiled vnc server.