Fail2Ban Blocks Hackers and Port Scanners

Fail2Ban is a security tool that protects your web server against brute-force attacks and port scanners by automatically blocking IP addresses after repeated failed login attempts.

What Does Fail2Ban Do?

Fail2Ban monitors log files (such as SSH, Apache, Nginx logs) and blocks IP addresses that show suspicious activity. By default, it blocks an IP after 3 failed attempts for 10 minutes.

Installation

Step 1: Install Fail2Ban

sudo apt update
sudo apt install fail2ban

Step 2: Enable and Start the Service

sudo systemctl enable fail2ban
sudo systemctl start fail2ban

Step 3: Check Status

sudo systemctl status fail2ban

Configuration

Create a Local Configuration

Copy the default config to a local file (so updates don't overwrite your changes):

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Edit the Configuration

sudo nano /etc/fail2ban/jail.local

Important settings in the [DEFAULT] section:

[DEFAULT]
# Number of minutes an IP remains blocked
bantime = 10m

# Time window in which failed attempts are counted
findtime = 10m

# Number of allowed failed attempts
maxretry = 5

# Email notifications (optional)
destemail = your@email.com
sendername = Fail2Ban
action = %(action_mwl)s

Configuring Jails

Protect SSH (Active by Default)

[sshd]
enabled = true
port = ssh
logpath = /var/log/auth.log
maxretry = 3
bantime = 1h

Protect Apache

[apache-auth]
enabled = true
port = http,https
logpath = /var/log/apache2/error.log

[apache-badbots]
enabled = true
port = http,https
logpath = /var/log/apache2/access.log
bantime = 48h
maxretry = 1

[apache-noscript]
enabled = true
port = http,https
logpath = /var/log/apache2/error.log

Protect Nginx

[nginx-http-auth]
enabled = true
port = http,https
logpath = /var/log/nginx/error.log

[nginx-limit-req]
enabled = true
port = http,https
logpath = /var/log/nginx/error.log

Protect PHP/WordPress

[php-url-fopen]
enabled = true
port = http,https
logpath = /var/log/apache2/access.log

Restart Fail2Ban After Configuration Changes

sudo systemctl restart fail2ban

Monitoring

View Blocked IPs

sudo fail2ban-client status

View Specific Jail

sudo fail2ban-client status sshd

View All Blocked IPs in All Jails

sudo zgrep 'Ban' /var/log/fail2ban.log

Live Monitoring of Ban Events

sudo tail -f /var/log/fail2ban.log

Manual IP Management

Unblock an IP

sudo fail2ban-client set sshd unbanip 192.168.1.100

Block an IP Manually

sudo fail2ban-client set sshd banip 192.168.1.100

Check Firewall Rules

Fail2Ban uses iptables. View the rules:

sudo iptables -L -n

Or with UFW:

sudo ufw status numbered

Troubleshooting

Fail2Ban Won't Start

Check for configuration errors:

sudo fail2ban-client -d

View Logs

sudo journalctl -u fail2ban -n 100

Test Configuration

sudo fail2ban-client -t

Reset Fail2Ban Database

If there are database problems:

sudo systemctl stop fail2ban
sudo rm /var/lib/fail2ban/fail2ban.sqlite3
sudo systemctl start fail2ban

Whitelist (IPs That Should Never Be Blocked)

Add trusted IPs in /etc/fail2ban/jail.local:

[DEFAULT]
ignoreip = 127.0.0.1/8 ::1 192.168.1.0/24 your.static.ip.address

Best Practices

  1. Use strong passwords - Fail2Ban is an extra layer, not a replacement
  2. Monitor regularly - Check logs for suspicious activity
  3. Test configurations - Use fail2ban-client -t for syntax checks
  4. Backup configurations - Keep copies of your custom jails
  5. Combine with other security tools - Use together with UFW, SSH keys, etc.

Additional Resources

User
Documentation
icon 🔒 Website Security Guide icon Online Docs icon Antigravity AI Guide icon Manuals
Software & Dev
icon Tools & Utilities icon Compile icon API Docs
GitHub
icon Bashouse icon ToolBox
System
icon About icon Settings icon Links icon SEO Metrics icon Best Buy Guide
Social
icon Facebook icon LinkedIn icon GitHub icon YouTube
Leisure
icon Hearthstone icon Snake
© 2025 ComputerBas