GumpboxGumpbox
Back to all articles
Security

Protect Your Linux server from Brute Force Attacks with Fail2ban

Configure Fail2ban to automatically block IP addresses that show malicious signs like too many password failures.

January 7, 2025
10 min read

Protect Your Linux server from Brute Force Attacks with Fail2ban

Fail2ban monitors log files and automatically blocks IP addresses showing malicious behavior. Learn how to protect your Linux server from brute force attacks.

What is Fail2ban?

Fail2ban:

  • Monitors log files for failed authentication attempts
  • Blocks attackers' IP addresses using firewall rules
  • Prevents brute force attacks
  • Protects SSH, web servers, email servers, and more

Prerequisites

  • Linux server with Ubuntu/Debian
  • Root or sudo access
  • UFW or iptables firewall

Step 1: Install Fail2ban

sudo apt update
sudo apt install fail2ban

Start and enable service:

sudo systemctl start fail2ban
sudo systemctl enable fail2ban

Check status:

sudo systemctl status fail2ban

Step 2: Configure Fail2ban

Create local configuration:

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo nano /etc/fail2ban/jail.local

Basic configuration:

[DEFAULT]
# Ban IP for 1 hour
bantime = 3600

# IP banned after 5 failures
maxretry = 5

# Within 10 minutes
findtime = 600

# Receive email notifications
destemail = admin@example.com
sendername = Fail2Ban
action = %(action_mwl)s

Step 3: Enable SSH Protection

In jail.local, find [sshd] section:

[sshd]
enabled = true
port = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s
maxretry = 3
bantime = 3600

If using custom SSH port:

port = 2222

Step 4: Protect Web Services

Nginx/Apache

[nginx-http-auth]
enabled = true
port = http,https
logpath = %(nginx_error_log)s

[nginx-noscript]
enabled = true
port = http,https
logpath = %(nginx_access_log)s

WordPress

[wordpress-hard]
enabled = true
port = http,https
logpath = /var/log/nginx/access.log
maxretry = 3

Step 5: Restart Fail2ban

Apply changes:

sudo systemctl restart fail2ban

Step 6: Monitor Fail2ban

Check status:

sudo fail2ban-client status

Check specific jail:

sudo fail2ban-client status sshd

View banned IPs:

sudo fail2ban-client status sshd | grep "Banned IP"

Check logs:

sudo tail -f /var/log/fail2ban.log

Step 7: Manage Banned IPs

Manually ban IP:

sudo fail2ban-client set sshd banip 192.168.1.100

Unban IP:

sudo fail2ban-client set sshd unbanip 192.168.1.100

Unban all IPs:

sudo fail2ban-client unban --all

Step 8: Whitelist IPs

Add trusted IPs to jail.local:

[DEFAULT]
ignoreip = 127.0.0.1/8 ::1 192.168.1.0/24 203.0.113.100

Advanced Configuration

Increase ban time for repeat offenders:

Create /etc/fail2ban/action.d/iptables-repeater.local:

[Definition]
actionban = <iptables> -I f2b-<name> 1 -s <ip> -j <blocktype>
            echo $(( $(date +%%s) + 604800 )) > /var/lib/fail2ban/repeater-<ip>

Email notifications:

[DEFAULT]
action = %(action_mwl)s
destemail = admin@example.com
sender = fail2ban@example.com

Custom filters:

Create filter in /etc/fail2ban/filter.d/myapp.conf:

[Definition]
failregex = ^<HOST> .* "POST /login HTTP/1.1" 401
ignoreregex =

Use in jail:

[myapp]
enabled = true
port = http,https
logpath = /var/log/nginx/access.log
filter = myapp
maxretry = 5

Best Practices

1. Monitor logs regularly: Check for blocked IPs
2. Whitelist your IP: Don't lock yourself out
3. Reasonable maxretry: Too low may block legitimate users
4. Increase bantime gradually: Start with 1 hour, increase for repeat offenders
5. Test filters: Ensure they work correctly
6. Backup configuration: Save your jail.local file
7. Keep Fail2ban updated: sudo apt update && sudo apt upgrade fail2ban

Troubleshooting

Fail2ban not blocking:

Check firewall integration:

sudo fail2ban-client get sshd actioncheck

Service won't start:

Check configuration syntax:

sudo fail2ban-client -t

Locked out of SSH:

From hosting panel console:

sudo fail2ban-client set sshd unbanip YOUR_IP

Monitoring Script

Create /usr/local/bin/fail2ban-report.sh:

#!/bin/bash
echo "Fail2ban Status Report"
echo "====================="
for jail in $(sudo fail2ban-client status | grep "Jail list" | sed "s/.*://;s/,//g"); do
    echo -e "\n[$jail]"
    sudo fail2ban-client status $jail
done

Run daily via cron:

0 9 * * * /usr/local/bin/fail2ban-report.sh | mail -s "Fail2ban Report" admin@example.com

Conclusion

Fail2ban provides automated protection against brute force attacks. Combined with SSH keys and UFW firewall, your Linux server becomes significantly more secure.

Next Steps

Ready to simplify your Linux server management?

Gumpbox makes server administration effortless with an intuitive interface designed for developers.

Get Started