Fail2Ban is an intrusion prevention framework that protects servers against brute-force attacks. It works by analyzing the logs of various services (SSH, Apache, FTP, etc.) and blocking IP addresses that show signs of malicious activity, such as too many failed login attempts.
Why use Fail2Ban?
- Brute-force attack prevention: Automatically blocks attackers before they manage to guess a password.
- Reduced server load: Cuts down the number of pointless login attempts that consume resources.
- Improved overall security: Adds a simple and effective layer of proactive defense.
- Highly configurable: Can be adapted to monitor almost any service that produces log files.
Prerequisites
- A Linux server (Ubuntu/Debian, CentOS/RHEL, etc.).
- Root access or sudo privileges.
- A working firewall (such as UFW or firewalld), although Fail2Ban can work directly with iptables.
Installation
# On Debian / Ubuntu
sudo apt-get update
sudo apt-get install -y fail2ban
# On CentOS / RHEL (requires the EPEL repository)
sudo yum install -y epel-release
sudo yum install -y fail2ban
Once installed, the service starts automatically and a default configuration for SSH is often already active.
Configuration
Fail2Ban is configured mainly through .conf and .local files in the /etc/fail2ban/ directory.
Golden rule: Never edit the .conf files. Always create a .local file for your overrides. The parameters in .local override those in .conf.
Step 1: Create a local configuration file
Copy the main configuration file to create your local configuration file.
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.localNow, edit /etc/fail2ban/jail.local.
sudo nano /etc/fail2ban/jail.localStep 2: Global configuration [DEFAULT]
In the [DEFAULT] section, you can set the default parameters for all "jails".
[DEFAULT]
# IPs to ignore (localhost, and possibly your static IP)
ignoreip = 127.0.0.1/8 ::1
# Ban duration (e.g. 1 hour)
bantime = 1h
# Window during which attempts are counted (e.g. 10 minutes)
findtime = 10m
# Number of attempts before a ban
maxretry = 5
Step 3: Enable "Jails"
A "jail" is a configuration for a specific service. To enable a jail, find its section in `jail.local` and add `enabled = true`.
Example: Jail for SSH (the most important one)
This jail is so common that it is often enabled by default. Check the configuration:
[sshd]
enabled = true
# The other parameters (port, logpath) are often detected automatically.
# You can force them if necessary:
# port = ssh
# logpath = /var/log/auth.log
Example: Jail for an Apache login form
If you have a login form on your website that logs failures to /var/log/apache2/error.log, you can protect it.
[apache-auth]
enabled = true
port = http,https
logpath = %(apache_error_log)s
maxretry = 6
You will also need to make sure that the corresponding filter (/etc/fail2ban/filter.d/apache-auth.conf) exists and matches your logs.
Step 4: Restart Fail2Ban
After every change, restart the service to apply the new configuration.
sudo systemctl restart fail2banYour SSH service is now being monitored.
Managing Fail2Ban
The fail2ban-client command-line tool lets you interact with the service.
# Check the global status and the active jails
sudo fail2ban-client status
# Check the status of a specific jail
sudo fail2ban-client status sshd
# Manually unban an IP
sudo fail2ban-client set sshd unbanip 192.168.1.10
Be sure to add your own IP address (if it is static) to the
ignoreip directive to avoid banning yourself by accident.
Conclusion
Fail2Ban is an essential tool, easy to configure and extremely effective at blocking the vast majority of automated brute-force attacks. It is one of the first things to install on a new server exposed to the Internet. In just a few minutes, it significantly strengthens your machine's security posture.
Comments