Linux Tactic

Fail2Ban: A Must-Have Tool for Securing Your Linux Server

Secure your VPS with Fail2Ban

Online security is becoming more critical than ever before. With so many relentless attacks happening on servers around the world daily, you must take steps to ensure the safety of your virtual private servers (VPS).

SSH login attempts and brute force attacks are common forms of attack used by cybercriminals seeking to exploit vulnerabilities in your VPS. Fortunately, there’s a simple solution that could help you secure your VPS and protect your data from these kinds of attacks.

Feasible for different Linux distributions, Fail2Ban is an open-source software that helps monitor your VPS and provides an incremental layer of security that consists of automated bans for excessive break-in attempts. What is an SSH Brute-Force Attack?

The Secure Shell (SSH) is a protocol that ensures secure access to remote systems over IP networks. SSH helps system admins and software developers access and manage systems remotely with more security than plain FTP and Telnet.

Still, a version of SSH protocol older than 2 is vulnerable to brute-force attacks. Brute force attacks are an attempt to guess login credentials such as username and passwords to gain unauthorized access to a system.

In a brute force attack, a hacker will repeatedly try to log in to your server, basing their attacks on trial and error. They use various combinations of usernames, passwords, or other authentication data to identify the right combination.

Once the hacker gains access, they can either damage your data or steal it. Brute force attacks can cause significant inconvenience and security concerns.

What is Fail2Ban? Fail2Ban is a security software that monitors the logs of your server for failed login attempts.

It then bans that IP address temporarily or permanently based on predetermined limits of failed attempts. With this software, you have an automated system that helps protect your server from brute-force attacks without an admin’s direct involvement.

We will guide you on how to install Fail2Ban on your VPS based on CentOS, RedHat, Debian, or Ubuntu. Each section comes with a detailed step-by-step guide to ensure that you do not miss anything.

Installing Fail2ban on CentOS and RedHat

To install Fail2Ban on your CentOS server, follow these steps:

1. Open the terminal and log in as root by typing the command:$sudo su


Update the server’s package to make sure you’ll have the latest version of Fail2ban. Run the command:$yum update


Install Fail2Ban by typing:$yum install fail2ban

4. If installation is successful, use the command fail2ban-client to run Fail2Ban:

$fail2ban-client status

If the install process didn’t register Fail2Ban as a service:

$systemctl enable fail2ban.service

Installing Fail2ban on Debian and Ubuntu

To install Fail2ban on Debian or Ubuntu, follow these steps:

1. Log in to your server using your credentials


Update the server’s package by typing:$sudo apt-get update

3. Ensure all the packages are up-to-date by running:$sudo apt-get upgrade


Install Fail2ban by running:$sudo apt-get install fail2ban

5. To check the status of Fail2ban, use the command:

$sudo fail2ban-client status


Be sure Fail2Ban is started up automatically with:$sudo systemctl enable fail2ban.service


Securing your VPS is vital. Fail2ban helps to detect brute-force attacks and block IP addresses that have attempted to access your server by guessing usernames and passwords excessively.

This article offers a step by step guide on how to install Fail2Ban on different Linux distributions, including Ubuntu, Debian, CentOS, and Red Hat. With this software, server administrators can protect their servers from various forms of cyber attacks, ensuring better security for their data.

Fail2Ban configuration file is essential for the software to operate correctly. In this article, we will explain the main configuration files used and provide some essential options to amend the jail.conf file.

Additionally, we will give information on how to use Fail2Ban to secure Linux servers.

Understanding Fail2Ban Configuration File

Fail2Ban saves its settings and rules in plain-text configuration files. Three main configuration files are used in Fail2Ban: jail.conf, action.d, and filter.d.

The jail.conf file controls the general behavior of Fail2Ban.

It defines which jails apply to which servers, how Fail2Ban bans IP addresses, and other general settings. The action.d directory defines the action scripts that Fail2Ban executes when a jail bans an IP.

The scripts include sending a notification email, blocking an IP using the`iptables` command in Linux (or others for other operating systems), and other scripts that can run. The filter.d directory includes filter scripts that Fail2Ban uses to monitor the system log for specific activity.

Jail.conf and Configuration Options

Jail.conf is the primary configuration file that Fail2Ban uses to control its behavior. Every other configuration file serves as an extension of jail.conf from this file.

It gives default settings for every jail that you activate on your server.

In jail.conf, some essential configurations you must change for optimum security include the `maxretry` option under your desired jails.

This option defines how many login or access attempts from an IP will trigger a ban. The `bantime` option sets the duration of the ban, usually in seconds.

The default value is 600 seconds, which is ten minutes. The `findtime` option sets how long Fail2Ban will look for another login failure before starting to record new attempts.

The default value is ten minutes, but you can set it as you please.

Another option that may interest you is the `ignoreip` option.

As the name implies, this option instructs Fail2Ban to ignore specified IP addresses for every jail you have enabled. It is particularly useful if you have some IP addresses that log into your server frequently, such as your work IP, and you do not want to be accidentally banned.

How to Use Fail2Ban to Secure Linux Server

After installing Fail2Ban and making the necessary changes to the jail.conf file, it’s essential to check on the active jails and see how they perform.

Enabling and Checking Active Jails

To check enabled jails on your system, execute the command:

$ fail2ban-client status

With the above command, you can quickly see the jails that are active, the number of IP’s banned, and the jail’s current status.

Checking Fail2Ban Log and Banned IPs

After checking on active jails, it’s essential to keep an eye on Fail2Ban’s log files. The log files contain all the relevant information about any IP addresses that have been banned, which jail they were banned in, when they were banned, and more.

To check the Fail2Ban log, use the command:

$ sudo tail -f /var/log/fail2ban.log

This command displays the latest log entries continuously in real-time. You can monitor the logs and see which IPs have been banned and what jails they were banned in.

Permanently Banning an IP and Unbanning It

By default, Fail2Ban bans IPs temporarily, by executing the `/bin/iptables` command with `-I` option. However, you can choose to ban some addresses permanently by manually adding them to your IPtables configuration file.

To do this, execute the command:

$ sudo iptables -A INPUT -s IP_ADDRESS -j DROP

This command adds the IP address to your IPtables configuration file, ensuring that the IP is banned permanently. Additionally, you can also unban an IP address from Fail2Ban.

To unban an IP, execute the command:

$ sudo fail2ban-client set JAIL_NAME unbanip IP_ADDRESS

This command removes the IP address from the specified jail.

Whitelisting an IP and Removing It from the Whitelist

Finally, whitelisting is an essential feature in Fail2Ban, and you can whitelist an IP address to allow access to your server, even if it has violated fail2Ban rules. To whitelist an IP address, execute the command:

$ sudo fail2ban-client set JAIL_NAME addignoreip IP_ADDRESS

This command tells Fail2Ban to ignore that IP address for the specific jail.

You can also remove an IP address from the whitelist using the command:

$ sudo fail2ban-client set JAIL_NAME delignoreip IP_ADDRESS

This command removes the IP address from the list of allowed IPs in the specified jail.


Fail2Ban is an essential tool for protecting your Linux server, especially if it hosts a high-traffic website or an application. The configuration and customization of Fail2Ban can seem daunting to beginners, but once you know the main configuration files and the necessary commands to execute, the software becomes an indispensable feature to ensure the server’s security.

Fail2Ban is an open-source software that has become a staple among Linux users looking to prevent unauthorized access to their servers. In this article, we have looked at the importance of Fail2Ban in thwarting brute-force attacks and how it works.

We have also discussed configuring jail.conf, checking active jails, banning and unbanning IPs, as well as whitelisting and removing them from the whitelist. Although Fail2Ban’s primary function is IP banning and unbanning, it also has other features worth mentioning.


Actions in Fail2Ban refer to the method the software uses to protect the system. The popular ones are `iptables`, `firewall drop`, and `denyhosts`.

`iptables` is the default action for Fail2Ban where the software will add a new rule to the server’s firewall to block the bad IPs partially or permanently. The action works on servers that use the `iptables` command in their firewall.

On the other hand, the `firewall drop` action lets Fail2Ban emit firewall commands like ufw or ipfw for added security. Additionally, Fail2ban’s `denyhosts` action works the same as `iptables`, adding IP’s to the hosts.deny list; however, this action is only worthwhile if you’re running a server with an older version of SSH.

Mail Notifications

Fail2Ban is also capable of sending notifications via email when something happens on the server that needs attention. For instance, there may be situations in which Fail2Ban detects suspicious network activity.

The software can be configured to send an email to the administrator containing information about the attack and its location. This notification system can help administrators act promptly to protect their servers from harmful attacks.


Filters are configuration files used to scan system logs for specific patterns. Fail2Ban uses filters to identify hacking attempts and add offending IP’s to the blacklist.

It supports several pre-existing filters, such as Apache, Nginx, and Postfix. Familiarizing oneself with these filters enables administrators to protect their servers against specific types of attacks.

If some web traffic patterns are simple enough to match in logs, creating custom filters is possible.

Encouragement to Explore and Experiment with Fail2Ban

Fail2Ban is an open-source project with a large community of developers and users continually updating and enhancing the software. While Fail2Ban’s default configuration should offer enough security for most scenarios, exploring and experimenting with Fail2Ban can unlock its full potential.

For instance, administrators can study different filters and configure them to look for specific phrases in server logs. Administrators must also experiment with the software’s different actions to see which one works best for their servers.

Finally, administrators can use and customize Fail2Ban’s mail notifications to stay informed when their servers come under attack. In summary, Fail2Ban is an essential tool for every server admin, and exploring the different features can help optimize server security.

By learning to configure Fail2Ban settings like the main configuration file, checking active jails, banning and unbanning IPs, whitelisting and removing them from the whitelist, using actions, mail notifications, and filters, administrators can maximize the software’s potential. Fail2Ban may seem daunting at first, but its effectiveness in stopping brute-force attacks and other harmful attacks cannot be understated.

Fail2Ban is a crucial tool for protecting Linux servers from brute-force attacks. By monitoring logs for failed login attempts, Fail2Ban automatically bans malicious IP addresses.

The configuration file, jail.conf, allows customization of ban duration, the number of login attempts triggering a ban, and whitelisting trusted IP addresses. Additional features like actions, mail notifications, and filters enhance security.

Administrators can experiment and explore Fail2Ban’s capabilities to optimize server protection. With Fail2Ban’s robust security measures in place, server admins can safeguard their systems effectively against unauthorized access.

Remember, ensuring server security is vital, and Fail2Ban provides the necessary tools to achieve it.

Popular Posts