bow.sh Guides Fail2Ban Introduction and Setup Guide

Fail2Ban Introduction and Setup Guide

bow.sh 2026-01-28 1 views

Fail2Ban is an intrusion prevention software developed in Python that protects servers from brute-force attacks. Fail2Ban can scan system log files and ban IPs with excessive abnormal login attempts. It automatically updates firewall rules (such as iptables) to reject requests from specific IP addresses for a specified period of time. It is commonly used to prevent SSH brute-force attacks.

Installing Fail2Ban

# For Ubuntu, Debian
sudo apt install -y fail2ban
# For CentOS, Fedora
sudo yum install -y epel-release
sudo yum install -y fail2ban
# Enable Fail2Ban service
systemctl enable --now fail2ban

Configuring Fail2Ban

The default configuration file for Fail2Ban is /etc/fail2ban/jail.conf.
Generate custom rules by running cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local.
Common parameters:

  • enabled - Indicates whether to enable the monitoring service
  • port - Port number of the monitored service
  • filter - Enabled log filter, references files located in /etc/fail2ban/filter.d directory
  • logpath - Log file path for the monitored service (traditional log files, e.g., /var/log/auth.log)
  • backend - Log backend (e.g., systemd, polling, auto)
  • journalmatch - systemd log filter condition (optional, works without it, but more precise/resource-efficient)
  • ignoreip - Whitelist IP/network segments (ignore failed records from these sources)
  • maxretry - Maximum number of failed retry attempts
  • findtime - Time range for counting failed attempts
  • bantime - Duration to ban IP addresses (supports s/m/h/d, or directly write in seconds)

Preventing SSH Brute-Force Attacks

Edit /etc/fail2ban/jail.local. Generally choose based on log source: use logpath for traditional log files, use systemd backend if only journald is available.
Below are two common configurations, choose one:

1) Traditional log files (with /var/log/auth.log or /var/log/secure)

[sshd]
enabled  = true
# Current SSH port number
port     = 22
filter   = sshd
# Ubuntu/Debian
logpath  = /var/log/auth.log
# CentOS/RHEL
# logpath = /var/log/secure
maxretry = 3    # Maximum failed attempts
findtime = 5m   # Counting time range (accumulated failed attempts within this time, can also directly write in seconds)
bantime  = 1h   # Ban duration (supports s/m/h/d, can also directly write in seconds)

2) systemd logs (more universal for minimal systems or without auth.log)

[sshd]
enabled  = true
# Current SSH port number (can specify multiple ports)
port     = 22,20000
filter   = sshd
backend  = systemd
maxretry = 3    # Maximum failed attempts
findtime = 5m   # Counting time range (accumulated failed attempts within this time, can also directly write in seconds)
bantime  = 24h  # Ban duration (supports s/m/h/d, can also directly write in seconds)

Restart Fail2Ban with systemctl restart fail2ban to apply the configuration.
At this point, if you intentionally enter wrong credentials more than maxretry times, the IP will be banned, SSH connections will be rejected or timeout, and you need to wait for bantime to expire or manually unban before retrying.

IP Whitelist (Optional)

If you need to allow specific sources, write ignoreip in /etc/fail2ban/jail.local. Writing in [DEFAULT] applies to all jails, writing in [sshd] applies only to SSH. Supports single IP, CIDR, IPv6, separate multiple entries with spaces. Example:

[DEFAULT]
ignoreip = 127.0.0.1/8 ::1 192.168.0.0/16 10.0.0.0/8

Other Related Commands

# View generated iptables rules, `Chain f2b-sshd` is the rule generated by Fail2Ban
iptables -nL

# Test configuration
fail2ban-client -t

# View Fail2Ban logs (for debugging)
tail -n15 /var/log/fail2ban.log
# If the file doesn't exist, use:
# journalctl -u fail2ban -n 50 -f

# Real-time systemd log viewing (replace keywords as needed)
journalctl -kf | grep "sshd"

# Restart/reload
systemctl restart fail2ban   # Restart service (banned IPs may be cleared)
systemctl reload fail2ban    # Reload configuration (preserve ban list)

# View all jail list and overview
fail2ban-client status
# View `sshd` service status
fail2ban-client status sshd

# Manually remove/add Ban IP rules
fail2ban-client set sshd unbanip x.x.x.x
fail2ban-client set sshd banip x.x.x.x

Conclusion

Even if you change the default SSH port, it may still be scanned. The key is to use key-based login or strong passwords, combined with Fail2Ban for automatic banning.
Additionally, if the system has traditional log files, you can use tail -f /var/log/auth.log to view SSH login logs.
If using systemd logs, use journalctl -fu ssh (Debian/Ubuntu) or journalctl -fu sshd (CentOS/RHEL).

Tags: fail2ban, security, firewall, iptables, ssh
Previous Post hping Introduction
Next Post None

Categories

Topics

mtrsshiptablesfirewallsecurityfail2banLinuxhping3ftpcurlv.psTracerouteCMIN2AS9929CN2 GIAChina optimizedEurope VPSGermany VPSxTom
© 2026 bow.sh Telegram About Sitemap