Quick Summary: Fail2ban is an intrusion prevention tool that monitors log files for suspicious activity (like repeated failed login attempts) and automatically bans offending IP addresses by creating firewall rules. It is the most effective defense against brute-force attacks on SSH, web servers, and email services. Setup takes under 10 minutes and dramatically reduces attack noise.
How Fail2ban Works
- Fail2ban monitors specified log files (e.g., /var/log/auth.log)
- It matches log entries against filter patterns (regex)
- When an IP exceeds the failure threshold, Fail2ban creates a firewall rule to block it
- After the ban time expires, the rule is automatically removed
Installation
- Debian/Ubuntu:
sudo apt install fail2ban - RHEL/AlmaLinux/Rocky:
sudo dnf install fail2ban - Enable and start:
sudo systemctl enable --now fail2ban
Configuration
Never edit /etc/fail2ban/jail.conf directly β it gets overwritten on updates. Create a local override:
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local- Edit
/etc/fail2ban/jail.localfor your customizations
Key Configuration Options
| Setting | Default | Recommended | Purpose |
|---|---|---|---|
| bantime | 10m | 24h (86400) | How long to ban an IP |
| findtime | 10m | 10m (600) | Time window for counting failures |
| maxretry | 5 | 3 | Failures before banning |
| banaction | iptables-multiport | firewallcmd-rich-rules (RHEL) | Firewall backend |
| ignoreip | 127.0.0.1 | Add your office IP | Never ban these IPs |
Protecting Services
SSH Protection
SSH jail is often enabled by default. Verify and customize in jail.local:
- Set
[sshd]section:enabled = true - Set port to match your SSH port (if non-standard)
- Set
maxretry = 3for strict protection
Web Server Protection
| Jail | Protects Against |
|---|---|
| nginx-http-auth | Failed HTTP basic authentication |
| nginx-botsearch | Bots scanning for vulnerabilities |
| apache-auth | Failed Apache authentication |
| apache-badbots | Malicious bot user agents |
Managing Fail2ban
| Command | Purpose |
|---|---|
fail2ban-client status | List active jails |
fail2ban-client status sshd | Show banned IPs for SSH jail |
fail2ban-client set sshd unbanip 1.2.3.4 | Manually unban an IP |
fail2ban-client set sshd banip 1.2.3.4 | Manually ban an IP |
fail2ban-client reload | Reload configuration |
Incremental Ban Times
Configure Fail2ban to increase ban duration for repeat offenders:
bantime.increment = trueβ Enable incremental bansbantime.factor = 2β Double the ban time each offensebantime.maxtime = 1wβ Maximum ban duration of 1 week- Result: 1st offense = 24h, 2nd = 48h, 3rd = 96h, up to 1 week
Frequently Asked Questions
I accidentally banned myself. How do I unban?
If you can still access the server (console, different IP): fail2ban-client set sshd unbanip YOUR.IP. If locked out, use your hosting provider's console access. To prevent self-banning, always add your IP to ignoreip in jail.local.
Does Fail2ban work with UFW?
Yes. Set banaction = ufw in your jail.local to use UFW instead of iptables directly. Fail2ban will create and remove UFW rules automatically.
How many IPs does Fail2ban typically ban?
On a public-facing server with SSH on port 22, Fail2ban typically bans 50-500 IPs per day. Moving SSH to a non-standard port reduces this to near zero. Fail2ban handles thousands of bans without performance issues.
Should I use Fail2ban even with key-only SSH?
Yes. Even with password authentication disabled, Fail2ban reduces log noise, blocks reconnaissance scanning, and protects other services (web servers, email). It also frees up resources by rejecting connections at the firewall level.
