How to Install Fail2Ban in 2025
Install Fail2Ban
Fail2Ban is a log-parsing application that helps protect Linux servers from malicious attacks, particularly brute-force attacks. It works by monitoring system logs for suspicious activity, such as repeated failed login attempts, and then automatically blocking the IP address of the attacker from accessing the server. This blocking is usually achieved by adding rules to the server's firewall (e.g., iptables). '
To install Fail2Ban:
We then need to start and enable the service:
We can ensure the service is running with:
You can skip to part 5 because the default install is fine, but if you would like to be more specific you can read the following configuration options for Fail2Ban
Basic Configuration
Fail2ban uses "jails" to define which services to monitor and how to respond to suspicious activity.
-
Create a local configuration file:
-
Never edit the default
jail.confdirectly, as it may be overwritten during updates. Instead, copy it:Or, you can create/edit
/etc/fail2ban/jail.localdirectly if it doesn’t exist.
-
-
Edit the configuration:
- Common settings to review:
ignoreip— IPs to never ban (e.g., your own).bantime— How long (in seconds) a ban lasts (e.g., 3600 for 1 hour).findtime— Time window for counting failures (e.g., 600 for 10 minutes).maxretry— Number of failures before ban (e.g., 3).
-
Example:
- Common settings to review:
-
Enable and configure a jail (e.g., SSH):
-
In the same
jail.localfile, ensure you have: -
This will protect SSH from brute-force attacks
-
-
Restart Fail2ban to apply changes:
Verify Fail2ban Operation
-
Check the status of all jails:
-
Check the status of a specific jail (e.g., SSH):