What is Fail2Ban and how do I use it to protect my server?

In an era where automated bots and attackers relentlessly scan servers looking for vulnerabilities, administrators have to keep their finger on the pulse of security. This is especially true for bruteforce attacks, where attackers endlessly search through passwords hoping to find the right one. If the server isn't secure, sooner or later someone will get to the wrong place.

Fortunately, there's a tool that helps block such "guests" automatically. Meet Fail2Ban — a program that analyzes logs and blocks IP addresses from which suspicious activity is coming. How does it work and how do you set it up correctly? Let's find out.

Main threats Fail2Ban protects against

1. Bruteforce attacks

The most common threat — automatic password mining. Common attacks include SSH (terminal access to the server), FTP (file access), email services and site administration panels.

2. DDoS attacks on web applications

Some attackers flood web servers with multiple requests to overload them and disable them. Fail2Ban can detect such activity and block the attackers' IP addresses.

3. Hacking CMS and web applications

Attempts to exploit vulnerabilities in WordPress, Joomla and other CMS are also logged. Fail2Ban can monitor them and block IPs seen in "bad" behavior.

How does Fail2Ban work?

Fail2Ban analyzes logs (e.g. /var/log/auth.log for SSH) and looks for repeated failed login attempts. If there have been too many failed attempts from one IP in a short time, the program uses iptables (or another firewall) to temporarily block that address.

Main components:

  • Jail  — a rule that determines which logs to monitor and what action to take when suspicious activity is detected. 
  • Filter  — a template for searching for suspicious log entries. 
  • Action  — a command to be executed when a filter is triggered (e.g., IP blocking).

Fail2Ban installation

In most Linux distributions, Fail2Ban can be installed with the standard command:

# For Debian/Ubuntu
sudo apt update && sudo apt install fail2ban -y

# For CentOS/RHEL
sudo yum install epel-release -y && sudo yum install fail2ban -y
Copy

After installation, Fail2Ban starts working right away, but requires customization.

Basic settings and configuration

The main configuration file /etc/fail2ban/jail.conf modify is not recommended — it is better to create jail.local:

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Copy

Open jail.local and configure:

[DEFAULT]
bantime = 600  # Blocking time (in seconds)
findtime = 300  # Log analysis interval
maxretry = 5  # Number of failed attempts before blocking
Copy

Configuring SSH security

[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
Copy

Configuring protection of mail services

[postfix]
enabled = true
filter = postfix
logpath = /var/log/mail.log
maxretry = 5

[dovecot]
enabled = true
filter = dovecot
logpath = /var/log/mail.log
maxretry = 5
Copy

Configuring MySQL protection

[mysqld-auth]
enabled = true
filter = mysqld-auth
logpath = /var/log/mysql.log
maxretry = 3
Copy

Configuring Apache and Nginx protection

[apache-auth]
enabled = true
filter = apache-auth
logpath = /var/log/apache2/error.log
maxretry = 5

[nginx-auth]
enabled = true
filter = nginx-auth
logpath = /var/log/nginx/error.log
maxretry = 5
Copy

After making changes, be sure to restart the service:

sudo systemctl restart fail2ban
Copy

Fail2Ban monitoring and management

Check active jails:

sudo fail2ban-client status
Copy

View blocked IPs for SSH:

sudo fail2ban-client status sshd
Copy

Release IP manually:

sudo fail2ban-client set sshd unbanip 192.168.1.100
Copy

In conclusion

Fail2Ban is certainly not a panacea for all cyberattacks, but it is a powerful tool that can significantly reduce risks. 

It takes a few minutes to set up, and the benefits are huge. If you don't already have Fail2Ban on your server, now is the time to set it up and sleep better.