DeluxHost
Back to Docs
Security·2 min read

Fail2ban: Brute Force Protection

How to install and configure Fail2ban to protect your server from SSH and web brute force attacks

Fail2ban monitors your server logs and automatically blocks IPs that attempt repeated failed logins. It's one of the most important basic security tools for any server exposed on the internet.

02

Installation

bash
# Debian/Ubuntu
apt install fail2ban -y

# CentOS/AlmaLinux
dnf install fail2ban -y

# Enable and start
systemctl enable fail2ban
systemctl start fail2ban
03

Configuration

Fail2ban uses configuration files in /etc/fail2ban/. Never modify jail.conf directly: instead create jail.local which takes precedence:

bash
nano /etc/fail2ban/jail.local

Recommended base configuration:

ini
[DEFAULT]
# Ban for 1 hour (3600 seconds)
bantime  = 3600

# Consider the interval of the last 10 minutes
findtime = 600

# Ban after 5 failed attempts
maxretry = 5

# Email notifications (optional)
# destemail = admin@example.com
# action = %(action_mwl)s

[sshd]
enabled = true
port    = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s
maxretry = 3

[nginx-http-auth]
enabled = true

[nginx-botsearch]
enabled  = true
port     = http,https
logpath  = %(nginx_error_log)s
maxretry = 2

After modifying, restart:

bash
systemctl restart fail2ban
04

Useful Commands

Check Status

bash
fail2ban-client status

View Banned IPs in a Jail

bash
fail2ban-client status sshd

Unban an IP

bash
fail2ban-client set sshd unbanip IP_TO_UNBAN

Manually Ban an IP

bash
fail2ban-client set sshd banip IP_TO_BAN

View Fail2ban Logs

bash
tail -f /var/log/fail2ban.log
05

Protect Other Services

WordPress / Web Login

ini
[nginx-wordpress]
enabled  = true
port     = http,https
filter   = nginx-wordpress
logpath  = /var/log/nginx/access.log
maxretry = 5
findtime = 300
bantime  = 3600

Postfix (Email)

ini
[postfix]
enabled = true
port    = smtp,465,submission
logpath = %(postfix_log)s

MySQL

ini
[mysqld-auth]
enabled = true
port    = 3306
logpath = %(mysql_log)s
06

Whitelist: Avoid Banning Yourself

Add your IP to the whitelist to avoid blocking yourself:

ini
[DEFAULT]
ignoreip = 127.0.0.1/8 ::1 YOUR_PUBLIC_IP

If you're the only one accessing the server, always add your IP to the whitelist before enabling Fail2ban. Otherwise you risk banning yourself after too many failed login attempts.

Related articles

Security

Base Server Hardening

Checklist of fundamental security operations to secure a new VPS before putting it into production

3 min read
Security

Change SSH Port

How to change SSH port to reduce automatic brute force attempts from bots and scanners on the internet

2 min read
Security

Users and Permissions

How to manage Linux users, groups and file permissions on your server

3 min read
Back to Docs

DeluxHost, founded in 2023, offers high-quality hosting solutions for various digital needs. We provide shared hosting, VPS, and dedicated servers with advanced security and global data centers.

© DeluxHost, All rights reserved. | VAT Number : IT17734661006
All Systems Operational

Products

VPSPlus VPSVDSPlus VDSDedicatedGame ServersDeals

About us

Contact usInfrastructureNetworkAnti-DDoS

Legal

Terms of ServicePrivacy PolicyFair use policySLA

Other

Service StatusSubmit a ticketControl panelDedicated panelLooking Glass