Introduction
Ever checked your server logs and seen thousands of failed login attempts? I did and it was a wake up call. Here’s how Fail2ban helped me go from nearly 6,000 failed logins to almost zero in just a few days.
When I wrote my last article, I shared two graphs that told a pretty compelling story: one showed nearly 6,000 failed login attempts, and the other taken just one day after enabling Fail2ban—showed almost none. Fast forward five days, and I’m happy to report that failed logins are practically gone. Today, we had eight attempts, but those IP addresses were likely blocked by the firewall. The graph below shows the near-zero failed logins from November 1 until now. If you want to read the previous blog post, go here: WordPress wp-login Brute Force Proctection
Why Fail2ban Matters
Fail2ban is a simple yet powerful tool that watches your logs for repeated failed login attempts and bans the offending IP addresses. It’s like having a security guard who notices suspicious behavior and locks the door before things get worse.
Before We Begin: Assumptions
In order to install this software, I will be making some assumptions about your capabalities such as:
- To keep things straightforward, I’m assuming you:
- Have access to a Linux server (Ubuntu or similar).
- Can navigate basic Linux commands.
- Are running Apache2.
- Have root access.
Step 1: Install Fail2ban
Run these commands to install Fail2ban:
sudo apt-get update
sudo apt-get install fail2ban
Step 2: Create a Local Configuration File
Copy the default configuration and make your own local version:
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Step 3: Configure Default Settings
Here’s a basic setup you can tweak as needed: Open the file to edit with your editor.
[DEFAULT]
bantime = 10m # Ban IP for 10 minutes
findtime = 10m # Time window to track failures
maxretry = 5 # Number of failures before ban
# Optional email notifications
destemail = your-email@example.com
sender = fail2ban@yourdomain.com
action = %(action_mw)s
Step 4: Enable SSH Protection
Enable and configure SSH protection: (First section of your file)
[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 1h
Note: If you’re using virtual hosts, your logs might be in /var/log/apache2/other_vhosts.log. Adjust accordingly.
Step 5: Start and Enable Fail2ban
sudo systemctl start fail2ban
sudo systemctl restart fail2ban
sudo systemctl enable fail2ban
- Check the status of fail2ban
Step 6: Check Status
udo fail2ban-client status
sudo fail2ban-client status sshd
View banned IPs:
sudo fail2ban-client status sshd
- View banned Ip Adresses
sudo fail2ban-client get sshd banip
Step 7: Add More Protections
You can monitor other services by adding sections to jail.local. For example:
[apache-auth]
enabled = true
filter = apache-auth
maxretry = 3
bantime = 1h
port = http,https
logpath = /var/log/apache*/*error.log
[postfix]
enabled = true
port = smtp,465,submission
filter = postfix
maxretry = 3
bantime = 1d
logpath = /var/log/mail.log
If you have custom authentication logs, just point Fail2ban to the right log file. You can add as many configurations as you need.
Fail2ban + iptables = Strong Defense
Fail2ban works hand-in-hand with iptables, the Linux firewall utility. When Fail2ban detects repeated failed logins, it uses iptables to block the offending IP. Once banned, that IP can’t reach your server until the ban expires—keeping your system safe from brute-force attacks.
Bottom line: Fail2ban is a lifesaver for anyone running a Linux server. It’s easy to set up, highly customizable, and dramatically reduces failed login attempts. If you haven’t implemented it yet, now’s the time.