If you manage a Linux server, you know security isn't optional. Every day, thousands of bots scan the network looking for open ports, particularly port 22 (SSH), trying random passwords in brute force or dictionary attacks.
In our previous article we looked at how to secure SSH access by disabling passwords; today we're covering another essential shield: Fail2ban.
In this guide we'll see what it is, how to install it on Linux, and how to configure it to protect your services.
What is Fail2ban?
Fail2ban is an intrusion prevention tool (IPS) written in Python.
Its job is to scan system log files (like /var/log/auth.log or /var/log/secure) looking for patterns indicating suspicious activity, such as repeated failed login attempts.
When it detects an IP address that has exceeded the allowed number of attempts, Fail2ban updates the firewall rules (typically iptables or nftables) to ban that address for a set period of time.
How it works
It works based on three key concepts:
Filter
A regular expression (regex) that identifies intrusion attempts in the logs.
Action
The action taken when the filter finds a match (ban, email, etc.).
Jail
The combination of a filter and an action. The prison for hostile IPs.
Installation on Linux
Fail2ban is available in the official repositories of most distributions.
Debian / Ubuntu / Kali Linux
sudo apt update
sudo apt install fail2ban
CentOS / RHEL / Rocky Linux / AlmaLinux
Enable EPEL first:
sudo dnf install epel-release
sudo dnf install fail2ban
Arch Linux / Manjaro
sudo pacman -S fail2ban
Basic configuration
Don't edit directly:
/etc/fail2ban/jail.conf
It gets overwritten on every update.
Use jail.local instead.
1. Create the local configuration file
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Open the file:
sudo nano /etc/fail2ban/jail.local
2. General settings
[DEFAULT] section:
- bantime: ban duration in seconds
- findtime: observation time window
- maxretry: maximum allowed attempts
Example:
[DEFAULT]
bantime = 3600
findtime = 600
maxretry = 5
Meaning:
5 failures in 10 minutes -> 1-hour ban.
3. Enable protection for SSH
[sshd] section:
[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
Note: on CentOS/RHEL the log is often /var/log/secure.
Starting and managing Fail2ban
sudo systemctl start fail2ban
sudo systemctl enable fail2ban
Check status:
sudo systemctl status fail2ban
Useful commands
Checking banned IPs
sudo fail2ban-client status sshd
Unbanning an IP
sudo fail2ban-client set sshd unbanip YOUR_PUBLIC_IP
Checking the logs
sudo tail -f /var/log/fail2ban.log
Protecting other services
Fail2ban can also protect web servers.
Example: Nginx
[nginx-http-auth]
enabled = true
filter = nginx-http-auth
port = http,https
logpath = /var/log/nginx/error.log
Fail2ban is one of the first tools worth setting up on a new server.
It drastically reduces intrusion attempts and unnecessary noise.
Security works in layers (defense in depth).
Fail2ban plus SSH keys remains a combination that's hard to beat.