■Squeezeにfail2banを導入する

$ apt-cache show fail2ban | grep -A 12 ^Desc
Description: bans IPs that cause multiple authentication errors
 Monitors log files (e.g. /var/log/auth.log,
 /var/log/apache/access.log) and temporarily or persistently bans
 failure-prone addresses by updating existing firewall rules. The
 software was completely rewritten at version 0.7.0 and now allows
 easy specification of different actions to be taken such as to ban an
 IP using iptables or hostsdeny rules, or simply to send a
 notification email. Currently, by default, supports ssh/apache/vsftpd
 but configuration can be easily extended for monitoring any other ASCII
 file. All filters and actions are given in the config files, thus
 fail2ban can be adopted to be used with a variety of files and
 firewalls.
Homepage: http://www.fail2ban.org

■sshの待ち受けポートは22番で無い場合
　デフォルトでは22番ポートを監視する。

$ sudo iptables -L -v -n | grep fail2ban
    0     0 fail2ban-ssh  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           multiport dports 22
Chain fail2ban-ssh (1 references)

■i修正するなら、「/etc/services」か「jail.conf」の「port」。

$ sudo grep -A 6 "\[ssh" /etc/fail2ban/jail.conf 
[ssh]

enabled = true
port    = ssh
filter  = sshd
logpath  = /var/log/auth.log
maxretry = 6
--
[ssh-ddos]

enabled = false
port    = ssh
filter  = sshd-ddos
logpath  = /var/log/auth.log
maxretry = 6

■「jail.conf」を修正。ついでに「ssh-ddos」も有効にする。

$ sudo grep -A 6 "\[ssh" /etc/fail2ban/jail.conf 
[ssh]

enabled = true
port    = 8022
filter  = sshd
logpath  = /var/log/auth.log
maxretry = 6
--
[ssh-ddos]

enabled = true
port    = 8022
filter  = sshd-ddos
logpath  = /var/log/auth.log
maxretry = 6

■設定の反映と確認。

$ sudo /etc/init.d/fail2ban restart
Restarting authentication failure monitor: fail2ban.

$ sudo iptables -L -v -n | grep ssh
   68  5120 fail2ban-ssh  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           multiport dports 8022 
   68  5120 fail2ban-ssh-ddos  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           multiport dports 8022 
Chain fail2ban-ssh (1 references)
Chain fail2ban-ssh-ddos (1 references)

■ifail2banで監視可能だが無効になっているルールの一覧。

$ sudo grep -B 2 false /etc/fail2ban/jail.conf | grep "^\["
[pam-generic]
[xinetd-fail]
[apache]
[apache-multiport]
[apache-noscript]
[apache-overflows]
[vsftpd]
[proftpd]
[wuftpd]
[postfix]
[couriersmtp]
[courierauth]
[sasl]
[named-refused-tcp]

■fail2banで監視可能で有効になっているルールの一覧

$ sudo grep -B 2 true /etc/fail2ban/jail.conf | grep "^\["
[ssh]
[ssh-ddos]

■ssh-serverに関してfail2banに頼るだけの設定はしていないと思うが、
　例えば、xinetdでも制御しているなら、フィルタが用意されている。

$ sudo ls /etc/fail2ban/filter.d/
apache-auth.conf       exim.conf              qmail.conf
apache-badbots.conf    gssftpd.conf           sasl.conf
apache-nohome.conf     lighttpd-fastcgi.conf  sieve.conf
apache-noscript.conf   named-refused.conf     sshd-ddos.conf
apache-overflows.conf  pam-generic.conf       sshd.conf
common.conf            php-url-fopen.conf     vsftpd.conf
courierlogin.conf      postfix.conf           webmin-auth.conf
couriersmtp.conf       proftpd.conf           wuftpd.conf
cyrus-imap.conf        pure-ftpd.conf         xinetd-fail.conf