• Frame 1

Intrusion Detection System (IDS)

I started working on our IDS back in 2010 to help stop spammers and hackers from reaching our server. It's main software is Fail2ban which is a log file scanner that allows you to take actions, such as banning spammers, when some text is matched in a log. For those who want to setup a similar system on their own Linux based server I've provided my files with a brief description. It's not a HOWTO but there's plenty of resources for you to work it out yourself.


I presume you're already running the following types of services that Fail2ban can analyze:

  • Iptables to create firewall rules
  • Apache Web Server
  • MySQL database
  • Postfix Mail Server using spam databases like www.barracudacentral.org
  • Clam AV antivirus
  • PAM (Pluggable Authentication Modules for Linux)
  • E107 or Wordpress CMS (Content Management System)

These are the resources you'll need to get an IDS working that looks like this:

  • A Google Maps API key so you can draw the map
  • Fail2ban (On Fedora Linux you install it with: dnf install fail2ban)
  • Fail2sql so you can store the bans in a MySQL database and use a GOIP database to locate where the servers are
  • A copy of my IDS web files so you can see how I make the web page (Updated 21/06/2016)
  • A copy of my fail2ban configuration files so you can see how I've written my rules (Updated 21/06/2016)
  • A copy of my fail2sql files so you can see how I've configured it to use GEOIP database (Updated 21/06/2016)
  • You might also need a copy of my sql (Updated 21/10/2016)
  • Add this to your root cron jobs to regularly update the GEOIP database:
    @monthly /usr/local/fail2sql/fail2sql -u 1>&1 > /dev/null


Once you have fail2ban working you're going to want to create your own rules. Though fail2ban comes with lots of great sample scripts the real power comes from creating your own. First, to keep things simple, only create one rule in /etc/fail2ban/jail.conf.


For example, here's my rule for scanning the mail server's logs:

enabled = true
action = iptables-multiport[name=sp-postfix, port="110,143,995,993,25,465,587,22,21,20", protocol=tcp]
filter = sp-postfix
logpath = /var/log/maillog
maxretry = 2
bantime = 864000
findtime = 7200

The "action =" bit means: Use /etc/fail2ban/action.d/iptables-multiport.conf actions to block ports 110,143,995,993,25,465,587,22,21,20 when a rule in the sp-postfix filter is matched.

The "bantime = 864000" means: Ban the server that was matched by the sp-postfix filter for 864000 seconds (10 days)

In /etc/fail2ban/jail.conf you can also put in a rule to exclude IPs from being banned by any of the filters such as your office IP. I exclude all NZ ip addresses and large companies like Google. Here's my rule:

ignoreip =


Next you need to understand your sp-postix filter. Here's how I write my rules:

  1. I get a spam message and have a look at the source code and see that it came from smtp7.ymlpsrvr.com
  2. I then grep that name in my mail server's logs (/var/log/maillog) and see this line:
    Jul 21 16:00:57 vs4-c6 postfix/smtpd[15951]: EC74729A6: client=smtp7.ymlpsrvr.com[]
  3. To block mail coming from any of ymlpsrvr.com's servers I just write a Regular expression in /etc/fail2ban/filter.d/sp-postfix.conf that looks like this:
[failregex = client_address\=\[\].*ymlpsv.com

What this means is:

  1. Scan every line of /var/log/maillog for the bit that says client=
  2. The \[\] bit after that is the remote server's IP address
  3. .* means keep search forward in the line
  4. If anywhere in the line contains the letters ymlpsl.com then this rule will enact the action in /etc/fail2ban/action.d/iptables-multiport.conf which is to use iptables to ban the server

There are also rules to gnore. I use these ones to make sure I never ban important servers like Google:

ignoreregex = client_address\=\[\].*googlebot

That's about it. If you have any questions, leave questions in the blog.