If you manage a Linux server, you know security isn't optional. Every day, thousands of bots scan the network looking for open ports, particularly port 22 (SSH), trying random passwords in brute force or dictionary attacks.

In our previous article we looked at how to secure SSH access by disabling passwords; today we're covering another essential shield: Fail2ban.

In this guide we'll see what it is, how to install it on Linux, and how to configure it to protect your services.

What is Fail2ban?

Fail2ban is an intrusion prevention tool (IPS) written in Python.
Its job is to scan system log files (like /var/log/auth.log or /var/log/secure) looking for patterns indicating suspicious activity, such as repeated failed login attempts.

When it detects an IP address that has exceeded the allowed number of attempts, Fail2ban updates the firewall rules (typically iptables or nftables) to ban that address for a set period of time.

How it works

It works based on three key concepts:

Filter
A regular expression (regex) that identifies intrusion attempts in the logs.

Action
The action taken when the filter finds a match (ban, email, etc.).

Jail
The combination of a filter and an action. The prison for hostile IPs.


Installation on Linux

Fail2ban is available in the official repositories of most distributions.

Debian / Ubuntu / Kali Linux

sudo apt update
sudo apt install fail2ban

CentOS / RHEL / Rocky Linux / AlmaLinux

Enable EPEL first:

sudo dnf install epel-release
sudo dnf install fail2ban

Arch Linux / Manjaro

sudo pacman -S fail2ban

Basic configuration

Don't edit directly:

/etc/fail2ban/jail.conf

It gets overwritten on every update.
Use jail.local instead.

1. Create the local configuration file

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Open the file:

sudo nano /etc/fail2ban/jail.local

2. General settings

[DEFAULT] section:

  • bantime: ban duration in seconds
  • findtime: observation time window
  • maxretry: maximum allowed attempts

Example:

[DEFAULT]
    bantime  = 3600
    findtime = 600
    maxretry = 5

Meaning:
5 failures in 10 minutes -> 1-hour ban.

3. Enable protection for SSH

[sshd] section:

[sshd]
    enabled  = true
    port     = ssh
    filter   = sshd
    logpath  = /var/log/auth.log
    maxretry = 3

Note: on CentOS/RHEL the log is often /var/log/secure.

Starting and managing Fail2ban

sudo systemctl start fail2ban
sudo systemctl enable fail2ban

Check status:

sudo systemctl status fail2ban

Useful commands

Checking banned IPs

sudo fail2ban-client status sshd

Unbanning an IP

sudo fail2ban-client set sshd unbanip YOUR_PUBLIC_IP

Checking the logs

sudo tail -f /var/log/fail2ban.log

Protecting other services

Fail2ban can also protect web servers.

Example: Nginx

[nginx-http-auth]
    enabled  = true
    filter   = nginx-http-auth
    port     = http,https
    logpath  = /var/log/nginx/error.log

Fail2ban is one of the first tools worth setting up on a new server.
It drastically reduces intrusion attempts and unnecessary noise.

Security works in layers (defense in depth).
Fail2ban plus SSH keys remains a combination that's hard to beat.