Commands
Learn how to automate OpenVPN installation with Ansible roles on CentOS 9. This step-by-step guide helps you organize your playbooks, making your VPN setup modular,
Learn how to configure Fail2Ban to block repeated failed login attempts on Linux. Step-by-step guide with commands, configuration examples, and security tips for SSH and other services.
In today’s threat landscape, brute-force attacks are a common way attackers attempt to gain unauthorized access to Linux servers. A simple and effective defense against this type of attack is Fail2Ban — a log-monitoring tool that scans for suspicious activity and temporarily bans malicious IP addresses.
This guide walks you through how to enable and configure Fail2Ban to block repeated failed login attempts, specifically for services like SSH, but applicable to others like Apache, Postfix, and nginx.
Fail2Ban is an open-source intrusion prevention tool that protects Linux systems from brute-force attacks by monitoring log files and dynamically updating firewall rules to ban IPs exhibiting malicious behavior.
Fail2Ban works by:
|
|
|
Fail2Ban is supported on most major Linux distributions:
| Distribution | Installation Method |
|---|---|
| Ubuntu/Debian | apt install fail2ban |
| CentOS/RHEL/Fedora | dnf install fail2ban |
| Arch Linux | pacman -S fail2ban |
▶️ On Debian/Ubuntu |
sudo apt update
sudo apt install fail2ban -y
▶️ On CentOS/RHEL/Fedora |
sudo dnf install fail2ban -y
After installation, enable and start the Fail2Ban service so it persists across reboots.
sudo systemctl enable --now fail2ban
Check the service status:
sudo systemctl status fail2ban
Fail2Ban uses configuration jails to define which services to protect. These jails specify which log file to monitor, how many failures to tolerate, and how long to ban offending IPs.
⚠️ Never edit |
▶️ Create/Edit |
sudo vim /etc/fail2ban/jail.local
Add the following configuration for SSH protection:
[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log # For Ubuntu/Debian
# logpath = /var/log/secure # For CentOS/RHEL
maxretry = 5
findtime = 600
bantime = 3600
💬 Explanation of Parameters: |
| Setting | Description |
|---|---|
enabled | Activates the SSH jail |
port | The SSH port (default is 22; change if custom) |
filter | References a regex filter in /etc/fail2ban/filter.d/sshd.conf |
logpath | Path to SSH log file |
maxretry | Number of failed attempts before banning an IP |
findtime | Time window (in seconds) to evaluate failures |
bantime | Duration (in seconds) to ban the IP address |
sudo systemctl restart fail2ban
Check the overall Fail2Ban status:
sudo fail2ban-client status
Check the status of the SSH jail:
sudo fail2ban-client status sshd
Expected output:
Status for the jail: sshd
|- Filter
| |- Currently failed: 1
| |- Total failed: 6
| `- File list: /var/log/auth.log
`- Actions
|- Currently banned: 1
`- Banned IP list: 192.168.1.100
Sometimes a legitimate user may be banned. To unban:
sudo fail2ban-client set sshd unbanip 192.168.1.100
To make bans permanent:
bantime = -1
⚠️ Use this with caution. Permanent bans are powerful but may unintentionally affect users behind shared IPs. |
| Parameter | Default Value | Recommended Value | Description |
|---|---|---|---|
| maxretry | 5 | 3–5 | Max failures before ban |
| findtime | 600 (10 min) | 300–600 | Timeframe to track failures |
| bantime | 600 (10 min) | 1800–3600 | How long the IP is banned |
| bantime = -1 | N/A | Optional | Permanently ban IPs |
Fail2Ban supports many services. Here’s how to enable jails for nginx, Postfix, or Dovecot:
[nginx-http-auth]
enabled = true
filter = nginx-http-auth
port = http,https
logpath = /var/log/nginx/error.log
maxretry = 3
To receive email alerts when an IP is banned. In your jail.local:
destemail = admin@yourdomain.com
sender = fail2ban@yourdomain.com
action = %(action_mwl)s
💡 You must have |
Fail2Ban works with iptables and firewalld to block IPs.
▶️ Check iptables rules |
sudo iptables -L -n
▶️ If using firewalld |
sudo firewall-cmd --state
Ensure your firewall is active so bans are enforced.
| Task | Command/Path |
|---|---|
| Install Fail2Ban | sudo apt install fail2ban |
| Enable Fail2Ban | sudo systemctl enable fail2ban |
| Configure SSH Jail | /etc/fail2ban/jail.local |
| Restart Fail2Ban | sudo systemctl restart fail2ban |
| Check Ban Status | sudo fail2ban-client status sshd |
| Unban IP | sudo fail2ban-client set sshd unbanip IP |
| Enable Notifications (Optional) | Add action = %(action_mwl)s in jail.local |
Fail2Ban is one of the simplest and most powerful tools for protecting Linux systems from brute-force attacks. By monitoring log files and applying automated IP bans, you reduce the attack surface of your servers significantly — all with minimal system overhead.
If you’re running a public-facing Linux server (especially with SSH exposed), configuring Fail2Ban should be part of your baseline hardening process.
Learn how to automate OpenVPN installation with Ansible roles on CentOS 9. This step-by-step guide helps you organize your playbooks, making your VPN setup modular,
Learn about securing SSH connections on RHEL 9 and CentOS 9 with Ansible roles. This guide covers key SSH security practices, Ansible playbook setup, and