Fail2ban scans log files and bans IPs that show malicious signs – too many password failures, seeking for exploits, etc. Generally Fail2Ban is then used to update firewall rules to reject the IP addresses for a specified amount of time, although any arbitrary other action (e.g. sending an email) could also be configured. Out of the box Fail2Ban comes with filters for various services (apache, courier, ssh, etc).

http://www.fail2ban.org/

Fail2Ban client manual pages:

user@host:~$ man fail2ban-client

Fail2Ban server manual pages:

user@host:~$ man fail2ban-server

Fail2Ban regular expression manual pages:

user@host:~$ man fail2ban-regex

To install Fail2Ban on Debian:

root@host:~$ apt-get update
root@host:~$ apt-get -y install fail2ban

To check the status of Fail2Ban:

root@host:~$ ps -ef | grep fail2ban
root      6573     1  0 20:20 ?        00:00:00 /usr/bin/python /usr/bin/fail2ban-server -b -s /var/run/fail2ban/fail2ban.sock
root@host:~$ fail2ban-client status
Status
|- Number of jail:      1
`- Jail list:           ssh

root@host:~$ fail2ban-client status ssh
Status for the jail: ssh
|- filter
|  |- File list:        /var/log/auth.log 
|  |- Currently failed: 0
|  `- Total failed:     0
`- action
   |- Currently banned: 0
   |  `- IP list:
   `- Total banned:     0

root@host:~$ iptables -nL
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
fail2ban-ssh  tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 22
[...]

Chain fail2ban-ssh (1 references)
target     prot opt source               destination         
RETURN     all  --  0.0.0.0/0            0.0.0.0/0  

• Fail2ban is currently missing support for IPv6.