Fail2Ban on Linux: Intrusion Prevention Complete Setup Guide

Servers exposed to the internet face constant automated attacks attempting to guess passwords and exploit vulnerabilities. Fail2Ban monitors log files for malicious patterns and automatically blocks offending IP addresses using firewall rules. This intrusion prevention system dramatically reduces successful attacks with minimal configuration. This guide covers installing and configuring Fail2Ban on Linux for comprehensive server protection.

How Fail2Ban Works

Fail2Ban continuously parses log files looking for patterns indicating failed authentication attempts or other suspicious activity. When an IP address exceeds configured thresholds, Fail2Ban adds firewall rules blocking that address for a specified duration. This automated response stops brute-force attacks before they succeed.

The tool uses “jails” to organize protection rules. Each jail monitors specific log files using filter patterns and applies defined ban actions. Pre-configured jails exist for common services including SSH, Apache, Nginx, and mail servers.

Installation

# Ubuntu/Debian
sudo apt update
sudo apt install fail2ban

# Fedora/RHEL
sudo dnf install fail2ban

# Arch Linux
sudo pacman -S fail2ban

# Start and enable service
sudo systemctl enable --now fail2ban

Configuration Structure

Fail2Ban configuration lives in /etc/fail2ban/. Never modify jail.conf directly—it gets overwritten during updates. Create jail.local for customizations:

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo nano /etc/fail2ban/jail.local

Basic Configuration

[DEFAULT]
# Ban duration (10 minutes)
bantime = 10m

# Time window for counting failures
findtime = 10m

# Number of failures before ban
maxretry = 5

# Ignore local addresses
ignoreip = 127.0.0.1/8 ::1 192.168.1.0/24

# Email notifications (optional)
destemail = admin@yourdomain.com
sender = fail2ban@yourdomain.com
action = %(action_mwl)s

Enabling SSH Protection

[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 1h

Web Server Protection

# Apache authentication failures
[apache-auth]
enabled = true
port = http,https
filter = apache-auth
logpath = /var/log/apache2/*error.log
maxretry = 3

# Nginx authentication
[nginx-http-auth]
enabled = true
port = http,https
filter = nginx-http-auth
logpath = /var/log/nginx/error.log
maxretry = 3

# Block aggressive bots
[nginx-botsearch]
enabled = true
port = http,https
filter = nginx-botsearch
logpath = /var/log/nginx/access.log
maxretry = 2

Managing Fail2Ban

# Check status of all jails
sudo fail2ban-client status

# Check specific jail
sudo fail2ban-client status sshd

# Manually ban an IP
sudo fail2ban-client set sshd banip 192.168.1.100

# Unban an IP
sudo fail2ban-client set sshd unbanip 192.168.1.100

# Reload configuration
sudo fail2ban-client reload

Creating Custom Filters

Create custom filters for application-specific protection:

# /etc/fail2ban/filter.d/myapp.conf
[Definition]
failregex = ^.*Failed login attempt from .*$
ignoreregex =

# Test filter against log file
fail2ban-regex /var/log/myapp.log /etc/fail2ban/filter.d/myapp.conf

Progressive Banning

Increase ban duration for repeat offenders using the recidive jail:

[recidive]
enabled = true
filter = recidive
logpath = /var/log/fail2ban.log
bantime = 1w
findtime = 1d
maxretry = 3

Monitoring and Logs

# View Fail2Ban log
sudo tail -f /var/log/fail2ban.log

# List all banned IPs across jails
sudo fail2ban-client banned

# Check iptables rules
sudo iptables -L f2b-sshd -n

Conclusion

Fail2Ban provides essential automated protection against brute-force attacks with minimal resource overhead. Combined with strong passwords and key-based authentication, Fail2Ban significantly improves server security posture. Regular monitoring of banned IPs and log analysis helps identify attack patterns and adjust protection accordingly.