How To'sLinux

How To Secure Your Linux Server Using Fail2ban

If an IP Address has too many failed connections, fail2ban blocks it automatically. It’s self-contained safety! We’ll show you how to do it. This is one of the most important things you can do for the safety of your Linux server. You can typically see a number of attempts at brute force login, web floods, exploit searching, and other types of attacks in your server logs.

Your server logs can be examined with an intrusion protection software like fail2ban, which allows you to set additional iptables rules for blocking IP addresses that are causing problems.


Having python installed is all that is needed to use Fail2ban:

  • Python >=2.6 or Python >=3.2 is required for Fail2ban branch 0.9.x.
  • Python >=2.4 is required for Fail2ban branch 0.8.x
  • Root access to your computer
  • Sendmail and iptables are optional.

How To Install Fail2Ban On Your Linux System

Installing fail2ban is easy as running a few commands:

Install Fail2Ban on CentOS/RHEL

To begin, follow the on-screen instructions to install fail2ban, enable the Epel repository, and update your packages.

yum update
yum install epel-release
yum install fail2ban

Install Fail2Ban on Debian/Ubuntu

The first step is to install fail2ban by following the on-screen instructions.

apt-get update && apt-get upgrade -y
apt-get install fail2ban

Sendmail can be installed if you want to enable mail support (for example, to receive notifications via email).

yum install sendmail [On CentOS/RHEL]
apt-get install sendmail-bin sendmail [On Debian/Ubuntu]

Use the following commands to make fail2ban and sendmail work:

systemctl start fail2ban
systemctl enable fail2ban
systemctl start sendmailsystemctl enable sendmail

How to Configure Fail2ban in Linux Systems

By default, fail2ban reads the.conf files in /etc/fail2ban/ first. But .local files in the same directory can override them.

So, the .local file should only contain the parameters you want to override from the .conf file. Not in the .conf, but in the .local files. This prevents overwriting modifications while updating fail2ban.

We’ll copy the existing fail2ban.conf file to fail2ban.local.

cp /etc/fail2ban/fail2ban.conf /etc/fail2ban/fail2ban.local

Using your favorite text editor you can edit the changes in .local file.

  • loglevel – this is the level of detail to be logged. Possible options are:
    • ERROR
    • NOTICE
    • INFO
    • DEBUG
  • logtarget – log the actions in a specific file. The default value is /var/log/fail2ban.log. You can, however, change this to:
    • STDOUT – output any data
    • STDERR – output any errors
    • SYSLOG – message-based logging
    • File – output to a file
  • socket – directory in which socket file will be placed.
  • pidfile – location of the pidfile.

Configuring Fail2ban jail.local

The jail.conf file, which specifies your jails, is a core component of fail2ban. This is where you specify which services should be enabled by fail2ban.

If you want to make changes to the conf files during upgrades, you should establish a jail.local file where you can do so

Alternatively, you may just duplicate the .conf file as follows:

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Change backend in jail.local from “auto” to “systemd” if you are using CentOS or Fedora.

There is no need to make this change if your operating system is Ubuntu/Debian.

Instead of enabling SSH by default on Debian and Ubuntu, the jail file does so only when used with the jail command. Please update the following line in the jail.local file if you want to activate it:

enabled = true

Retry and Ban Counts

In order to ban an IP address, you can customize the circumstances in which it is blocked. Fail2ban makes use of bantime, findtime, and maxretry to accomplish this.

  • ignoreip – Whitelisting specific IP addresses is, of course, a must. This IP address is set up by uncommenting the following line in your preferred text editor: /etc/fail2ban/jail.local
  • bantime – An IP address will be blocked for as long as the bantime value is specified (default 10 min).
  • findtime – how long does it take for the host to be banned if you keep trying to log in It takes about 10 minutes to complete (by default). For example, if fail2ban is configured to block an IP address after three failed logins, those three attempts must be made inside the findtime period (10 mins).
  • maxretry – limit on how many times an attempt can be made before being banned. (The default is 3).

Fail2Ban Jail Configuration

So far, we’ve covered the basics. To configure a jail, you must enable it in the jail.local file. The syntax is straightforward:

. . .
enabled = true

Replace jail_to_enable with actual jail, for example, “sshd”. In jail.local file, these values will be predefined for ssh service.


port = ssh
logpath = %(sshd_log)s

You can activate the filter to help identify unsuccessful lines in the log. The filter value refers to a file with the service name and .conf extension. /etc/fail2ban/filter.d/sshd.conf.


filter = service

For example:

filter = sshd

You can review the existing filters in the following directory: /etc/fail2ban/filter.d/.

Using And Enabling fail2ban-client

We’ve installed and configured fail2ban. Now we need to make it an auto-start service. Then we must test it to ensure it works properly.

We use systemctl to enable fail2ban as a service:

sudo systemctl enable fail2ban

We also use it to start the service:

sudo systemctl start fail2ban

We can check the status of the service using systemctl, too:

sudo systemctl status fail2ban.service

Here are some simple commands. To check the status of fail2ban or a specific jail, use:

fail2ban-client status

For individual jail, you can run:

fail2ban-client status sshd

Noor Qureshi

Experienced Founder with a demonstrated history of working in the computer software industry. Skilled in Network Security and Information Security.

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button