Linux SysAdmin Notes
HowTo : Install and Configure Fail2ban on CentOS/Ubuntu
Fail2Ban helps to protect Linux servers from brute-force attacks.
It scans logs for IP addresses that show the malicious signs and bans that IP addresses for a specified amount of time using firewall.
This article describes how to install and configure Fail2ban on CentOS/Ubuntu and similar Linux distributions.
You'll also learn how to protect SSH server from brute-force attacks and how to manually unban IP address that was banned by Fail2Ban.
Install Fail2ban on Linux Mint, Ubuntu
Type the following command to install Fail2Ban on Linux Mint or Ubuntu :
Install Fail2ban on CentOS, RHEL
There is no Fail2Ban package in default CentOS and RHEL repositories, but it can be found in EPEL.
Add EPEL Repository and then install Fail2Ban :
The default Fail2Ban configuration file is
Instead, we should work with a local copy called
Make a local copy of Fail2Ban configuration file :
Pay attention to the global options in [DEFAULT] section.
It covers the basic rules that Fail2Ban will follow :
|ignoreip||Don't ban a host which matches an address in this list. Several addresses can be defined using space separator.|
|bantime||Duration (in seconds) for IP to be banned for. Negative number for permanent ban. Default is 10 minutes.|
|findtime||The time window (in seconds) within which Fail2Ban keeps track failed login attempts. Default is 10 minutes.|
|maxretry||The number of failures before a host get banned. Default is 3 attempts.|
Protect SSH Server with Fail2Ban
After completing with [DEFAULT] section, go down and update [ssh-iptables] section as below :
[ssh-iptables] # 'enabled = true' means that SSH protection is on. # It can be turned off with 'enabled = false'. enabled = true # Use filter : /etc/fail2ban/filter.d/sshd.conf filter = sshd # Action describes the steps that Fail2Ban will take to ban a matching IP address. action = iptables[name=SSH, port=ssh, protocol=tcp] # Send notifications to firstname.lastname@example.org sendmail-whois[name=SSH, email@example.com, sendername="Fail2Ban"] # Log location that Fail2Ban will track logpath = /var/log/secure # if during 1 hour findtime = 3600 # 5 failed login attempts would be detected maxretry = 5 # host will be banned for 24 hours bantime = 86400
Tweaking Fail2Ban Filters
If you wish to tweak the existing filters or add new filters, you can find them in the
For example, to modify Fail2Ban filter for
Fail2ban is already configured to start during the system boot by default.
Don't forget to restart Fail2Ban, each time after making any changes in it's settings :
To test Fail2Ban and to see the rules that Fail2Ban puts in effect, look at iptables :
Manually UnBan IP Banned by Fail2Ban
Use the flowing command to manually unban IP address, banned by Fail2Ban :