Fail2ban helps to protect Linux servers from brute-force and DDOS attacks.
It scans logs for IP addresses that show the malicious signs and bans that IP addresses for a specified amount of time using iptables.
This article describes how to install and configure
fail2ban on Ubuntu, CentOS and similar Linux distributions.
You’ll also learn how to protect SSH server from DDOS and brute-force attacks and how to manually unban IP address that was banned by
Install Fail2Ban on Ubuntu
Type the following command to install
fail2ban on Ubuntu:
$ sudo apt-get install fail2ban
Install Fail2Ban on CentOS
There is no
fail2ban package in the default CentOS repository, but it can be found in EPEL.
Cool Tip: Install EPEL repository in one command! Read more →
As only EPEL repository is enabled, you can install
$ sudo yum install fail2ban
fail2banconfiguration file is
However it is not recommended to modify
Instead, we should work with a local copy called
jail.local, which will override the
Make a local copy of
fail2ban configuration file:
$ sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
$ sudo vi /etc/fail2ban/jail.local
Pay attention to the global options in
It covers the basic rules that
fail2ban will follow:
||Don’t ban a host which matches an address in this list. Several addresses can be defined using space separator.|
||Duration (in seconds) for IP to be banned for. Negative number for permanent ban. Default is 10 minutes.|
||The time window (in seconds) within which
||The number of failures before a host get banned. Default is 3 attempts.|
If you want to set up more nuanced protection, you can override the global options and customize the details in each
jail (section with rules for each application).
Protect SSH Server with Fail2Ban
After completing with
[DEFAULT] section, go down and update
[ssh-iptables] section as below:
[ssh-iptables] # 'enabled = true' means that SSH protection is on. # It can be turned off with 'enabled = false'. enabled = true # Use filter: /etc/fail2ban/filter.d/sshd.conf filter = sshd # Action describes the steps that Fail2Ban will take to ban a matching IP address. action = iptables[name=SSH, port=ssh, protocol=tcp] # Send notifications to [email protected] sendmail-whois[name=SSH, [email protected], sendername="Fail2Ban"] # Log location that Fail2Ban will track logpath = /var/log/secure # if during 1 hour findtime = 3600 # 5 failed login attempts would be detected maxretry = 5 # host will be banned for 24 hours bantime = 86400
Fail2ban is not limited to SSH only. Out of the box Fail2Ban comes with filters for various services (SSH, apache, asterisk, postfix, etc.), but only
[ssh-iptables] jail is activated by default.
Tweaking Fail2Ban Filters
If you wish to tweak the existing filters or add new filters, you can find them in the
For example, to modify
fail2ban filter for
OpenSSH, edit the following file:
$ sudo vi /etc/fail2ban/filter.d/sshd.conf
fail2ban is already configured to start during the system boot by default.
Don’t forget to restart
fail2ban, each time after making any changes in it’s settings:
$ sudo service fail2ban restart
fail2ban and to see the rules that
fail2ban puts in effect, look at
$ sudo iptables -L
Manually UnBan IP Banned by Fail2Ban
Use the flowing command to manually unban IP address, banned by
$ sudo fail2ban-client set JAIL unbanip IP
192.168.1.101, that was banned according to
$ sudo fail2ban-client set ssh-iptables unbanip 192.168.1.101