Introduction to Fail2ban
Fail2ban is an essential intrusion-prevention tool for Linux systems. It dynamically blocks IP addresses that exhibit malicious behavior (e.g., repeated failed SSH login attempts) by updating firewall rules. Unlike static firewalls, Fail2ban “learns” from log files, making it ideal for thwarting brute-force attacks.
Prerequisites
- Linux Server: Ubuntu/Debian or CentOS/RHEL.
- Root Access:
sudoprivileges. - Basic Firewall:
iptables,ufw, orfirewalldinstalled. - Text Editor: Familiarity with
nano/vim.
Step 1: Installation
Ubuntu/Debian:
sudo apt update
sudo apt install fail2ban -y CentOS/RHEL:
sudo yum install epel-release -y
sudo yum install fail2ban -y Step 2: Configuration Basics
Fail2ban’s core files reside in /etc/fail2ban/:
jail.conf: Main configuration (avoid editing directly—copy tojail.local).filter.d/: Contains rules for different services (SSH, Apache, etc.).
Create a Custom Config:
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo nano /etc/fail2ban/jail.local Step 3: SSH Protection Example
Enable the SSH Jail (in jail.local):
[sshd]
enabled = true
port = ssh
filter = sshd
logpath = %(sshd_log)s
maxretry = 3
bantime = 1h
findtime = 600 maxretry: 3 failed attempts triggers a ban.bantime: Ban duration (1 hour).findtime: Time window for counting failures (10 minutes).
Step 4: Whitelist Trusted IPs
Prevent your IP from being blocked:
[sshd]
...
ignoreip = 192.168.1.100 203.0.113.5 (Replace with your actual IPs.)
Step 5: Apply & Monitor
- Restart Fail2ban:
sudo systemctl restart fail2ban - Check Status:
sudo fail2ban-client status sshdExample Output:
Status for the jail: sshd |- Filtered: 24 (tot: 12) `- Banned IP: 2 - View Banned IPs:
sudo fail2ban-client banned
Advanced: Email Alerts
Get notified when an IP is banned:
[sshd]
...
action = %(action_mwl)s Configure email settings in jail.local:
destemail = admin@yourdomain.com
sender = fail2ban-alert@yourdomain.com Step 6: Custom Filters (e.g., Nginx)
- Create a filter in
/etc/fail2ban/filter.d/nginx-badbots.conf:[Definition] failregex = ^ .* "(GET|POST).*" (404|403) .*$ - Add a jail in
jail.local:[nginx-badbots] enabled = true port = http,https filter = nginx-badbots logpath = /var/log/nginx/access.log
Troubleshooting
- Logs:
tail -f /var/log/fail2ban.log - Test Regex:
fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/sshd.conf - Unban IP:
sudo fail2ban-client set sshd unbanip 192.0.2.100
Conclusion
Fail2ban transforms your server from a passive target into an active fortress against brute-force attacks. By monitoring logs and automating IP bans, it drastically reduces unauthorized access risks. Start with the SSH jail, expand to web services, and always whitelist trusted IPs!
Pro Tip: Combine Fail2ban with SSH key authentication for maximum security. 🔑
> Disclaimer: Test configurations in a non-production environment first. Adjust bantime and maxretry based on your threat tolerance.