Fail2Ban is one of the most widely used systems to stop attacks on Linux servers by scanning log files and blocking IP addresses in the firewall from the results. However, Fail2Ban is designed to run locally on a single server, but can easily be expanded to a centralized Fail2Ban system where all servers in a group can share a common list of IP addresses that need to be blocked.
Instead of being reactive, you get a proactive system, which is very useful as the same attacker often attacks many servers.
A centralized Fail2Ban system is easy to build for the handy. What is needed is a centrally located database, something that triggers an update of the database, and something that retrieves the data and blocks in the firewall. In a safe way in all parts.
We have now created an eBook (PDF) that describes with examples a complete solution (which we ourselves also use), you can buy the eBook via Stripe for only €5 by clicking on this link. IMPORTANT! You will receive the download link to the eBook in the online receipt in connection with the purchase, first copy the link and save it in, for example, a text file before clicking on it.
In the examples described in the eBook, a RHEL 8 server is used (which should also work with all clones based on RHEL), a MySQL database and PHP. However, the examples should not be a major problem to “translate” to other systems. What is described for Fail2Ban should be general for all Linux distributions.
What is described in the eBook is not a complete turnkey system, you need to manage all security around this yourself and also adapt example code etc. for your specific environment and your specific needs.
Ps. We are experts in safety, contact us when you need help!