Fail2Ban is a third-party program that runs in the background and monitors logs. When specific loglines (such as the authentication challenge line shown previously) are seen a certain number of times, Fail2Ban takes an action. It can be programmed to e-mail you with an alert or automatically use IPTables to block an offending IP address after too many attempts occur within a certain period of time.

This book is not intended to be a complete guide for using Fail2Ban. However some sample scripts are given later in the chapter.

To configure Fail2Ban you will need to create several files which instruct Fail2Ban what to look for in your logs and what to do when it finds a match.

Fail2Ban default configuration has a folder where you can place filters. These filters contain strings which can be used to match against your logs. You can have as many filters as you want to look for different types of suspicious traffic in your logs. When combined with FreeSWITCH's error log which shows invalid login attempts, this can become a useful filter mechanism.

The second file, known as the jail configuration file applies the filters to rules such as how often an error is allowed to occur and what action to take after that threshold has been exceeded. The jail configuration file effectively specifies how to react when a filter matches.