Install fail2ban
sudo apt install fail2ban
Start fail2ban
sudo systemctl start fail2ban
Enable on boot
sudo systemctl enable fail2ban
Check status
sudo systemctl status fail2ban
Show all jails
sudo fail2ban-client status
Show specific jail status
sudo fail2ban-client status sshd
Unban IP
sudo fail2ban-client set sshd unbanip 192.168.1.100
Ban IP manually
sudo fail2ban-client set sshd banip 192.168.1.100
Reload fail2ban
sudo fail2ban-client reload
Reload specific jail
sudo fail2ban-client reload sshd
Basic jail configuration
Create /etc/fail2ban/jail.local:
[DEFAULT]
bantime = 3600
findtime = 600
maxretry = 5
destemail = admin@example.com
sendername = Fail2Ban
[sshd]
enabled = true
port = 22
logpath = /var/log/auth.log
maxretry = 3
Nginx brute force protection
[nginx-http-auth]
enabled = true
filter = nginx-http-auth
port = http,https
logpath = /var/log/nginx/error.log
[nginx-noscript]
enabled = true
port = http,https
filter = nginx-noscript
logpath = /var/log/nginx/access.log
maxretry = 6
[nginx-badbots]
enabled = true
port = http,https
filter = nginx-badbots
logpath = /var/log/nginx/access.log
maxretry = 2
Create custom filter
Create /etc/fail2ban/filter.d/myapp.conf:
[Definition]
failregex = ^<HOST> - .* "POST /login HTTP/.*" 401
ignoreregex =
Test filter regex
sudo fail2ban-regex /var/log/myapp.log /etc/fail2ban/filter.d/myapp.conf
View banned IPs
sudo fail2ban-client get sshd banned
Get jail config
sudo fail2ban-client get sshd bantime
sudo fail2ban-client get sshd maxretry
Set jail parameters
sudo fail2ban-client set sshd bantime 7200
sudo fail2ban-client set sshd maxretry 3
Check logs
sudo tail -f /var/log/fail2ban.log
Whitelist IP
In /etc/fail2ban/jail.local:
[DEFAULT]
ignoreip = 127.0.0.1/8 192.168.1.0/24
Email notifications
[DEFAULT]
action = %(action_mwl)s
Common jails
[sshd]
[apache-auth]
[apache-badbots]
[nginx-http-auth]
[postfix-sasl]
[dovecot]
[mysql-auth]
Show jail actions
sudo fail2ban-client get sshd actions