Many common adminstrative services such as VPN and SSH are exposed on known port numbers, unfortunately this makes it easy for hackers to use tools to attempt to access the systems. Use of countermeasures such as Fail2Ban can block them after a few failed attempts.
Installation Steps:
sudo apt-get install fail2ban
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo vi /etc/fail2ban/jail.local
-
Update:
destemail
&sender
- OPTIONAL:
Splunk:
sudo /opt/splunkforwarder/bin/splunk add monitor /var/log/fail2ban.log -index main -sourcetype Fail2Ban
Splunk (manual):
sudo vi /opt/splunkforwarder/etc/apps/search/local/inputs.conf
[monitor:///var/log/fail2ban.log]
disabled = false
index = main
sourcetype = Fail2Ban sudo service fail2ban restart
REFERENCES: