This article demonstrates how to install and configure fail2ban to help secure a server. With fail2ban, you can configure your server to automatically block IP addresses that engage in suspicious activity.
The fail2ban application monitors server log files for intrusion attempts and other suspicious activity. After a predefined number of failures from a host, fail2ban blocks its IP address automatically for a specific duration.
With fail2ban, you can help secure your server against unauthorized access attempts. It is particularly effective in reducing the risk from scripted attacks and botnets.
To install the fail2ban package for your Linux distribution:
For Debian and Ubuntu, type the following command:
apt-get install fail2ban
For CentOS and Fedora, type the following command:
yum install fail2ban
After you install fail2ban, you are ready to configure it. To do this, follow these steps:
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Locate the [DEFAULT] section, which contains the following global options:
ignoreip = 127.0.0.1/8 126.96.36.199
With fail2ban's global options configured, you are now ready to enable and disable jails for the specific protocols and services you want to protect. By default, fail2ban monitors SSH login attempts (you can search for the [ssh-iptables] section in the jail.local file to view the specific settings for the SSH jail).
To restart the fail2ban service and load the new configuration, type the following command:
service fail2ban restart
To display a list of IP addresses currently banned by fail2ban, type the following command:
For example, the following line shows an IP address that the SSH jail has banned:
-A fail2ban-SSH -s 10.0.1.124/32 -j REJECT --reject-with icmp-port-unreachable