fail2ban monitors log files such as /var/log/auth.log and /var/log/apache/access.log and temporarily or persistently bans failure-prone addresses by updating existing firewall rules. Currently, by default, fail2ban supports ssh/apache/vsftpd but configuration can be easily extended for monitoring any other ASCII file.
1. Install fail2ban
apt-get install fail2ban
2. Test by connecting via ssh and making three incorrect password attempts. By default fail2ban blocks the IP address for 10 minutes.
You can tail the fail2ban log file to monitor actions:
tail -f /var/log/fail2ban.log
2010-06-21 22:27:58,953 fail2ban.jail : INFO Jail 'ssh' started
2010-06-21 22:29:36,430 fail2ban.actions: WARNING [ssh] Ban 192.168.1.18
3. (optional) Specify a list of IP addresses ignored by fail2ban. This can be useful to avoid getting locked out (pico /etc/fail2ban/jail.conf)
ignoreip = 127.0.0.1 192.168.1.0/24
Modify the ignoreip property and type a list of IP addresses or networks seperated by a space.
4. Restart fail2ban (only required if you modified the ignoreip property)