Home > Package & System Management > fail2ban

Complete Guide to Fail2Ban

Fail2Ban is a security tool that automatically blocks brute-force attacks on servers. This guide covers everything from installing Fail2Ban to configuring it and its key commands.

Installation Instructions

Fail2Ban is available as a default package in most Linux distributions. You can easily install it using the commands below.

Debian/Ubuntu

sudo apt-get update
sudo apt-get install fail2ban

CentOS/RHEL

sudo yum install epel-release
sudo yum install fail2ban

Start and Enable Fail2Ban Service After Installation

sudo systemctl start fail2ban
sudo systemctl enable fail2ban

After installation, start the service and set it to run automatically on boot.

Key Configuration Files

The core configuration of Fail2Ban is done in the `jail.conf` and `jail.local` files. It is best practice to create a `jail.local` file to override settings without modifying the original `jail.conf` file.

⚙️ Location of Key Configuration Files

/etc/fail2ban/jail.conf

📝 Custom Configuration File (Recommended)

/etc/fail2ban/jail.local

To change settings in `jail.conf`, create this file and add only the desired settings. This method prevents overwriting the original file during updates.

Examples of Key Settings in jail.local File

The following are commonly added configuration options in the `jail.local` file. These settings allow you to control the behavior of Fail2Ban in detail.

  • [sshd]: Starts the configuration for the sshd service.
  • enabled = true: Enables this jail.
  • port = ssh: Specifies the ssh port (default 22) as the target.
  • maxretry = 5: Blocks if the login fails more than 5 times within the defined time (findtime).
  • bantime = 10m: Sets the time (10 minutes) to block.
  • findtime = 10m: Sets the time (10 minutes) to calculate the number of failed logins.

Key Commands

These are the main commands used to check the status of the Fail2Ban service or to manually block/unblock IPs.

Check Fail2Ban Service Status

sudo systemctl status fail2ban

Checks if the Fail2Ban service is running properly.

Check Fail2Ban Logs

sudo journalctl -u fail2ban

Reviews detailed operation logs, including the list of blocked IPs by Fail2Ban.

Manually Block a Specific IP

sudo fail2ban-client set sshd banip 1.2.3.4

Manually blocks the specified IP address in the `sshd` jail.

Manually Unblock a Specific IP

sudo fail2ban-client set sshd unbanip 1.2.3.4

Manually unblocks a previously blocked IP address in the `sshd` jail.

View Currently Blocked IPs

sudo fail2ban-client status sshd

Checks the list of currently blocked IP addresses by the `sshd` jail.

Same category commands

apropos

apropos: Search Manual Pages

apt

APT (Advanced Package Tool) Command Guide

at

at Command Guide: Scheduling One-Time Tasks

crontab

Complete Guide to the crontab Command: How to Schedule Repetitive Tasks

dd

dd: File Conversion and Copying