Security

Fail2ban: Brute Force Protection

How to install and configure Fail2ban to protect your server from SSH and web brute force attacks

Fail2ban monitors your server logs and automatically blocks IPs that attempt repeated failed logins. It's one of the most important basic security tools for any server exposed on the internet.

Installation

# Debian/Ubuntu
apt install fail2ban -y

# CentOS/AlmaLinux
dnf install fail2ban -y

# Enable and start
systemctl enable fail2ban
systemctl start fail2ban

Configuration

Fail2ban uses configuration files in /etc/fail2ban/. Never modify jail.conf directly: instead create jail.local which takes precedence:

nano /etc/fail2ban/jail.local

Recommended base configuration:

[DEFAULT]
# Ban for 1 hour (3600 seconds)
bantime  = 3600

# Consider the interval of the last 10 minutes
findtime = 600

# Ban after 5 failed attempts
maxretry = 5

# Email notifications (optional)
# destemail = admin@example.com
# action = %(action_mwl)s

[sshd]
enabled = true
port    = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s
maxretry = 3

[nginx-http-auth]
enabled = true

[nginx-botsearch]
enabled  = true
port     = http,https
logpath  = %(nginx_error_log)s
maxretry = 2

After modifying, restart:

systemctl restart fail2ban

Useful Commands

Check Status

fail2ban-client status

View Banned IPs in a Jail

fail2ban-client status sshd

Unban an IP

fail2ban-client set sshd unbanip IP_TO_UNBAN

Manually Ban an IP

fail2ban-client set sshd banip IP_TO_BAN

View Fail2ban Logs

tail -f /var/log/fail2ban.log

Protect Other Services

WordPress / Web Login

[nginx-wordpress]
enabled  = true
port     = http,https
filter   = nginx-wordpress
logpath  = /var/log/nginx/access.log
maxretry = 5
findtime = 300
bantime  = 3600

Postfix (Email)

[postfix]
enabled = true
port    = smtp,465,submission
logpath = %(postfix_log)s

MySQL

[mysqld-auth]
enabled = true
port    = 3306
logpath = %(mysql_log)s

Whitelist: Avoid Banning Yourself

Add your IP to the whitelist to avoid blocking yourself:

[DEFAULT]
ignoreip = 127.0.0.1/8 ::1 YOUR_PUBLIC_IP

If you're the only one accessing the server, always add your IP to the whitelist before enabling Fail2ban. Otherwise you risk banning yourself after too many failed login attempts.

Base Server Hardening

Checklist of fundamental security operations to secure a new VPS before putting it into production

Change SSH Port

How to change SSH port to reduce automatic brute force attempts from bots and scanners on the internet

On this page

InstallationConfigurationUseful CommandsCheck StatusView Banned IPs in a JailUnban an IPManually Ban an IPView Fail2ban LogsProtect Other ServicesWordPress / Web LoginPostfix (Email)MySQLWhitelist: Avoid Banning Yourself