fail2ban is a lightweight intrusion prevention tool that helps protect servers from automated attacks and botnets. It works by monitoring log files and blocking IP addresses that show suspicious behavior, such as repeated failed login attempts.
Important
Root-level access is required to install and configure fail2ban.
What fail2ban Does
fail2ban scans log files generated by services such as SSH and web servers. When a defined number of failures occurs from the same source within a specific time window, fail2ban automatically adds a firewall rule to block that IP address for a configurable duration.
This approach is particularly effective on publicly accessible systems such as VPS hosting in the Netherlands or self-managed dedicated servers, where services are directly exposed to the internet.
Installing fail2ban
Installation steps depend on the Linux distribution running on your server.
Debian and Ubuntu
Update the package index and install fail2ban:
apt-get update
apt-get install fail2ban
[Screenshot placeholder: apt package installation output for fail2ban]
AlmaLinux and Fedora
Install fail2ban using the system package manager:
yum install fail2ban
On these distributions, the EPEL repository must be enabled before installation.
[Screenshot placeholder: yum install fail2ban output with EPEL enabled]
Initial Configuration
fail2ban uses configuration files located in /etc/fail2ban. The default configuration file should not be edited directly, as it may be overwritten during updates.
Create a local configuration file by copying the default template:
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
[Screenshot placeholder: terminal showing jail.conf copied to jail.local]
Open the jail.local file using your preferred text editor.
Configuring Global Options
In the jail.local file, locate the [DEFAULT] section. These settings apply to all enabled jails unless overridden.
ignoreip
This option defines IP addresses that should never be banned. It is commonly used to whitelist trusted locations such as office or home IPs.
ignoreip = 127.0.0.1/8 203.0.113.10
[Screenshot placeholder: ignoreip configuration in jail.local]
bantime
Defines how long an IP address is blocked after exceeding the allowed number of failures.
bantime = 600
maxretry and findtime
These options work together to define the detection threshold:
maxretry = 5
findtime = 600
If an IP address exceeds the allowed retries within the defined time window, it is banned for the duration specified by bantime.
[Screenshot placeholder: global threshold settings in jail.local]
Enabling Service Jails
fail2ban protects services using jails. Each jail targets a specific service or log pattern.
By default, an SSH jail is included but disabled. To enable it, locate the SSH jail section and set:
enabled = true
[Screenshot placeholder: SSH jail enabled in configuration file]
Additional jails can be enabled in the same way, depending on the services running on your server.
Restarting fail2ban
After saving configuration changes, restart the service to apply them:
service fail2ban restart
[Screenshot placeholder: fail2ban service restart confirmation]
Checking Banned IP Addresses
To view firewall rules added by fail2ban, run:
iptables -S
A banned IP address typically appears in a rule similar to the following:
-A fail2ban-SSH -s 10.0.1.124/32 -j REJECT --reject-with icmp-port-unreachable
[Screenshot placeholder: iptables output showing fail2ban rules]
Using fail2ban in Larger Environments
fail2ban is commonly deployed on standalone servers as well as scalable cloud server environments. When used alongside firewalls and regular system updates, it significantly reduces the effectiveness of automated attack traffic.
Configuration should be reviewed periodically to ensure thresholds match current traffic p