Fail2Ban scans log files (e.g. /var/log/auth.log) and bans IPs that show the malicious signs -- too many password failures, seeking for exploits, etc.
Installation
# Debian / Ubuntu
sudo apt install fail2ban
# RHEL / CentOS
sudo dnf install epel-release
sudo dnf install fail2banConfiguration Structure
Never edit /etc/fail2ban/jail.conf directly, as it will be overwritten during updates. Instead, create a .local copy or add files to jail.d/.
# Create a local configuration copy
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.localBasic jail.local Configuration
[DEFAULT]
bantime = 1h # Ban duration (1 hour)
findtime = 10m # Time window for failures
maxretry = 5 # Number of failures before ban
ignoreip = 127.0.0.1/8 192.168.1.0/24 # Never ban these IPs
[sshd]
enabled = true
port = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)sService Management
sudo systemctl enable --now fail2ban # Start and enable on boot
sudo systemctl restart fail2ban # Restart service after config changesMonitoring and Interacting (fail2ban-client)
# Check global status (shows active jails)
sudo fail2ban-client status
# Check status of a specific jail (e.g., sshd) and see banned IPs
sudo fail2ban-client status sshd
# Manually ban an IP in a specific jail
sudo fail2ban-client set sshd banip 192.168.1.50
# Manually unban an IP
sudo fail2ban-client set sshd unbanip 192.168.1.50
# Unban all IPs in a jail
sudo fail2ban-client unban --all