Using Fail2ban

What is Fail2ban?

Fail2ban is a service that alleviates the issue of brute-force break-in attempts on a server
by scanning the login logs. When it sees a pattern of failed logins, it bans the IP address
of the offending source. The default setting is typically five failed logins, and the default
ban time is 10 minutes.

Fail2ban protects your server through the use of jails. Jails are configuration files
in which you set the criteria for when the system should ban an IP address
from accessing your server.

The central file of fail2ban is jail.conf, which contains the configuration settings
for your jail. These settings determine whether or not to ban the IP address from
logging into your server.

Install Fail2ban

Use the following command to install on CentOS® or RHEL®:

yum install fail2ban

Use the following command to install on Debian® or the Ubuntu® operating system:

apt-get install fail2ban

Configure Fail2ban

  1. Log in to your server over SecureShell (SSH) with either the root user or a sudo user.
  2. Copy the jail.conf file to create a jail.local file because you typically do
    not want to edit the central configuration file, jail.conf.
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
  1. Open the jail.local file with your preferred command-line text editor.
  2. Locate the [DEFAULT] section to find the following global options:
  • ignoreip: Allows you to whitelist an IP from Fail2ban, preventing it from being banned,
    by telling Fail2ban to ignore that IP address.
  • bantime: Sets how long an IP address is banned in seconds. The default is 600 seconds (10 minutes).
  • maxretry: Defines the number of login failures permitted before banning the offending IP address.
  • findtime: Defines the time span in which the maxretry entries occur. IP addresses that exceeds the
    maxretry value within this set time period are banned for the amount of time determined by the
    bantime setting.
  1. Save and close the file.
  2. After you configure Fail2ban, you can enable or disable jails for the specific protocols and services
    you want to protect, such as SSH login attempts.
  3. Restart the fail2ban service for changes to take effect.
service fail2ban restart

Fail2ban now monitors attempts to log into your server, based on the parameters you set in your jail.local
file, and it bans IP addresses that violate those conditions.

For more in-depth information on Fail2ban, see the following Fail2ban resources:

Use the Feedback tab to make any comments or ask questions. You can also start a conversation with us.