How to Configure Fail2Ban to Prevent Brute-Force Attacks on Your Linux Server

When managing a Linux server, security is paramount. One of the most common types of attacks servers face is brute-force attempts on login services, especially SSH. Fail2Ban is an effective, open-source tool that automatically bans suspicious IPs after repeated failed login attempts, adding a crucial layer of security to your server. This guide will walk you through configuring Fail2Ban on your Linux server.


What is Fail2Ban?

Fail2Ban is a tool that monitors your server’s log files for failed login attempts and other suspicious activities. When it detects too many failed attempts from a single IP address within a specified timeframe, it blocks that IP, effectively preventing brute-force attacks.

Fail2Ban can protect multiple services and is highly configurable, making it an essential addition to your server’s security setup.


Step 1: Installing Fail2Ban

Before configuring Fail2Ban, you’ll need to install it on your server. Fail2Ban is available in most Linux distributions’ repositories.

For Debian/Ubuntu

sudo apt update
sudo apt install fail2ban

For CentOS/RHEL

sudo yum install epel-release
sudo yum install fail2ban

After installation, start the Fail2Ban service and enable it to start at boot:

sudo systemctl start fail2ban
sudo systemctl enable fail2ban

Step 2: Configuring Fail2Ban

Fail2Ban's main configuration file is located at /etc/fail2ban/jail.conf. To keep this file intact, create a local configuration file instead by copying it to jail.local:

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Open the jail.local file for editing:

sudo nano /etc/fail2ban/jail.local

Step 3: Set Up Basic Security Options

In the jail.local file, you’ll want to customize the following settings to enhance server protection:

  • Ignore IPs: Define trusted IPs that should never be banned, such as your own IP.

      ignoreip = 127.0.0.1/8 ::1 192.168.1.1
    
  • Ban Time: Set how long an IP remains banned (in seconds). For example, 600 will ban the IP for 10 minutes.

      bantime = 600
    
  • Find Time and Max Retry: These parameters work together to decide when an IP should be banned. findtime is the time window (in seconds) in which Fail2Ban counts failed attempts, and maxretry sets the allowed number of failed attempts within this period.

      findtime = 600
      maxretry = 5
    

Step 4: Configure SSH Protection

Fail2Ban comes with a default filter for SSH, making it straightforward to secure your SSH service from brute-force attacks.

In the jail.local file, find the [sshd] section and enable it by setting enabled to true:

[sshd]
enabled = true
port = 2222            # Update this if you have changed the default SSH port
logpath = /var/log/auth.log  # Log file for Debian/Ubuntu
# logpath = /var/log/secure  # Log file for CentOS/RHEL
maxretry = 5

Ensure that port and logpath match your SSH settings.


Step 5: Apply Changes

Once you’ve made changes to the configuration, restart Fail2Ban to apply them:

sudo systemctl restart fail2ban

To verify Fail2Ban is running and protecting SSH, you can check its status:

sudo fail2ban-client status

Step 6: Monitor and Manage Fail2Ban

Fail2Ban provides commands for monitoring and managing bans. Here are some useful ones:

  • View Banned IPs for SSH:

      sudo fail2ban-client status sshd
    
  • Unban an IP Address:

      sudo fail2ban-client set sshd unbanip <IP_ADDRESS>
    

Replace <IP_ADDRESS> with the actual IP you wish to unban.


Optional: Enable Email Alerts

Fail2Ban can send you an email when it bans an IP. To set this up, open jail.local and update the following settings:

  • Email Settings:

      destemail = your_email@example.com
      sendername = Fail2Ban
      mta = sendmail
      action = %(action_mw)s  # Action for Ban & Email notification
    

Make sure your server is configured to send emails, either with sendmail, postfix, or another service.


Conclusion

With Fail2Ban configured, your server now has an automated defense system that monitors for malicious IPs and protects against brute-force attacks. This setup provides peace of mind, knowing your server has a robust layer of protection.

Fail2Ban is a flexible tool, and by adjusting its configurations, you can expand its monitoring to other services on your server, making it an indispensable part of your security toolkit.