Fail2ban 101

🛡️ What is Fail2ban?

Fail2ban is an intrusion prevention software that protects your server by monitoring log files and automatically banning IP addresses that show malicious behavior like repeated failed login attempts.

Setup Steps

~15

Minutes

Expert

Level

⚠️ Critical Security Warning

NEVER lock yourself out: Always whitelist your own IP address before configuring strict rules
Test carefully: Wrong configuration can block legitimate users or even yourself
Keep backups: Always backup your configuration files before making changes
Monitor logs: Watch Fail2ban logs to ensure it's working as expected
Have a recovery plan: Know how to access your server through console if SSH is blocked

Update System Packages

2-5 minutes

Command: sudo apt update && sudo apt upgrade -y

Ensure your system is up-to-date before installing Fail2ban

💡 Explanation: Always update your system packages first to avoid compatibility issues and ensure you have the latest security patches.

Install Fail2ban

1-2 minutes

Command: sudo apt install fail2ban -y

Install Fail2ban intrusion prevention system from the repository

💡 Explanation: This installs Fail2ban along with all required dependencies including iptables integration for automatic IP blocking.

Enable and Start Fail2ban

< 30 seconds

Command: sudo systemctl enable fail2ban && sudo systemctl start fail2ban

Enable Fail2ban to start automatically at boot and start the service immediately

💡 Explanation: This ensures Fail2ban will protect your system automatically after every reboot and starts monitoring immediately.

Check Fail2ban Status

< 30 seconds

Command: sudo systemctl status fail2ban

Verify that Fail2ban is running correctly and check its current status

💡 Explanation: This command shows if Fail2ban is active, when it started, and any recent log messages. Look for "active (running)" status.

Create Local Configuration

< 30 seconds

Command: sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Create a local configuration file to customize Fail2ban settings safely

💡 Explanation: The jail.local file overrides default settings without being overwritten during updates. This is the recommended way to configure Fail2ban.

Configure Basic Protection

5-10 minutes

Command: sudo nano /etc/fail2ban/jail.local

Edit the local configuration to enable SSH protection and set ban parameters

💡 Explanation: This opens the configuration file where you can enable jails, set ban times, and configure which services to protect.

📝 Configuration Examples

Copy and paste these configurations into your jail.local file

Basic SSH Protection Configuration

[DEFAULT] # Ban IP for 24 hours (86400 seconds) bantime = 86400 # Check for 5 failed attempts maxretry = 5 # Within 10 minutes (600 seconds) findtime = 600 # Whitelist your own IP (CHANGE THIS!) ignoreip = 127.0.0.1/8 YOUR_IP_HERE [sshd] enabled = true port = ssh filter = sshd logpath = /var/log/auth.log maxretry = 3 bantime = 3600

Basic configuration that protects SSH with reasonable defaults. Replace YOUR_IP_HERE with your actual IP address.

Web Server Protection (Apache/Nginx)

[apache-auth] enabled = true filter = apache-auth logpath = /var/log/apache2/error.log maxretry = 3 [apache-badbots] enabled = true filter = apache-badbots logpath = /var/log/apache2/access.log maxretry = 2 [nginx-http-auth] enabled = true filter = nginx-http-auth logpath = /var/log/nginx/error.log maxretry = 3

Configuration for protecting web servers from brute force attacks and malicious bots.

🎛️ Essential Management Commands

Commands to monitor and manage your Fail2ban installation

sudo fail2ban-client status

Show all active jails and their status

sudo fail2ban-client status sshd

Show detailed status of the SSH jail including banned IPs

sudo fail2ban-client unban IP_ADDRESS

Manually unban a specific IP address

sudo fail2ban-client reload

Reload Fail2ban configuration without restarting

sudo fail2ban-client restart

Restart Fail2ban service (clears all current bans)

sudo iptables -L -n | grep -E "f2b|fail2ban"

View current Fail2ban iptables rules and banned IPs

📊 Monitoring Commands

Keep track of Fail2ban activity and banned IPs

sudo tail -f /var/log/fail2ban.log

Monitor Fail2ban activity in real-time

sudo grep "Ban" /var/log/fail2ban.log | tail -10

Show the last 10 IP addresses that were banned

sudo fail2ban-client status | grep "Jail list"

List all currently active jails

sudo journalctl -u fail2ban -f

Follow Fail2ban system logs in real-time

🔧 Common Filters & Jails

Available protection filters you can enable in your jail.local file

🔐 Security Best Practices

Whitelist trusted IPs: Always add your own IP and trusted networks to ignoreip
Use strong ban times: Set appropriate ban times (1-24 hours) based on your security needs
Monitor regularly: Check Fail2ban logs weekly to understand attack patterns
Keep it updated: Regularly update Fail2ban and your system packages
Backup configurations: Keep backups of your jail.local and custom filter files
Test thoroughly: Test your configuration with a separate IP before going live
Document changes: Keep notes of what you've configured and why

🛡️ What is Fail2ban?

⚠️ Critical Security Warning

📝 Configuration Examples

Basic SSH Protection Configuration

Web Server Protection (Apache/Nginx)

🛡️ Fail2ban is Now Protecting Your Server!

🎛️ Essential Management Commands

📊 Monitoring Commands

🔧 Common Filters & Jails

🔐 Security Best Practices