Quick Reference

Cheatsheets

Practical command references for Linux, networking, servers, containers, databases, and more.

Cheatsheet#fail2ban-cheatsheet

Fail2Ban Cheatsheet

Fail2Ban scans log files (e.g. /var/log/auth.log) and bans IPs that show the malicious signs -- too many password failures, seeking for exploits, etc.

Installation

# Debian / Ubuntu
sudo apt install fail2ban
 
# RHEL / CentOS
sudo dnf install epel-release
sudo dnf install fail2ban

Configuration Structure

Never edit /etc/fail2ban/jail.conf directly, as it will be overwritten during updates. Instead, create a .local copy or add files to jail.d/.

# Create a local configuration copy
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Basic jail.local Configuration

[DEFAULT]
bantime  = 1h     # Ban duration (1 hour)
findtime = 10m    # Time window for failures
maxretry = 5      # Number of failures before ban
ignoreip = 127.0.0.1/8 192.168.1.0/24  # Never ban these IPs
 
[sshd]
enabled = true
port    = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s

Service Management

sudo systemctl enable --now fail2ban   # Start and enable on boot
sudo systemctl restart fail2ban        # Restart service after config changes

Monitoring and Interacting (fail2ban-client)

# Check global status (shows active jails)
sudo fail2ban-client status
 
# Check status of a specific jail (e.g., sshd) and see banned IPs
sudo fail2ban-client status sshd
 
# Manually ban an IP in a specific jail
sudo fail2ban-client set sshd banip 192.168.1.50
 
# Manually unban an IP
sudo fail2ban-client set sshd unbanip 192.168.1.50
 
# Unban all IPs in a jail
sudo fail2ban-client unban --all