Fail2Ban is a comprehensive tool for blocking possible unwanted traffic from bots/hackers to your server (or network). It's quiet easy to install and setup so here's a quick how to, assuming you've already set up sendmail for mail-relay, and are using locally ssh, ftp and openvpn for instance.
1. sudo apt-get install fail2ban
2. Set up a local configuration file for fail2ban by running "cp -ivra /etc/fail2ban/jail.conf /etc/fail2ban/jail.local" and open /etc/fail2ban/jail.local:
# Append / Modify
bantime = 3600
# forever:
# bantime = -1
ignoreip = 127.0.0.1/8 192.168.1.0/24
destemail =
# Email address of the sender
# This is not by default in place, by default fail2ban@<hostname>.<domain> is used which could lead into smtp unknown sender errors (550). Also note the sender="%(sender)s in action_mw.
sender =
action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
%(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s", sendername="%(sendername)s", sender="%(sender)s"]
action = %(action_mw)s
# Append / Modify
[openvpn]enabled = trueport = 1194protocol = udpfilter = openvpn#logpath = /var/log/syslog/etc/openvpn/openvpn.logmaxretry = 3
[proftpd]enabled = true
[ssh]
enabled = true
3. Create a file openvpn.conf in /etc/fail2ban/filter.d/ with the following contents:
# Fail2Ban Filter for OpenVPN#[INCLUDES]before = common.conf[Definition]_daemon = openvpnfailregex = <HOST>:[0-9]{4,5} TLS Auth Error: Auth Username/Password verification failed for peerignoreregex =
4. Restart services: sudo service fail2ban restart
5. Eventually add "/var/log/fail2ban.log" to the logrotate in: /etc/logrotate.d/rsyslog
6. I've also added an email alias in sendmail for fail2ban@<hostname>.<domain>
Now you'll receive emails when someone gets banned. You can test this, when you want to remove the block use something like: "sudo fail2ban-client set openvpn unbanip 1.2.3.4"