What is Fail2Ban with Setup & Configuration? (Detailed Guide)

Are you tired of brute-force attacks hammering your server? Worried about automated robots crippling your website or application? You’re not alone.

Millions of servers face relentless attacks daily, but there’s a powerful, free tool that can significantly improve your security: Fail2Ban.

This comprehensive guide will explore everything you need to know about Fail2Ban, from its basic functionality and installation (on Ubuntu) to more advanced features such as whitelisting IP addresses, as well as its applications for securing various services.

But first, let’s explore Fail2Ban and how it works with iptables to banish malicious IPs!

What is Fail2Ban?

Fail2Ban is an intrusion prevention system that can block attackers from accessing your server. It can be thought of as an automated bouncer that watches your server’s log files for suspicious activity and kicks out bad actors before they can cause trouble.

It constantly scans your server’s logs, looking for anyone repeatedly trying to guess passwords or force their way in. While it started as a simple SSH protector, Fail2Ban can be configured to monitor almost everything on your server – from your website traffic to email services and file transfer systems.

Suggested read: How To Use Fail2Ban With WordPress And Cloudflare Proxy

Benefits of Using Fail2Ban

Using Fail2Ban brings real, practical benefits to your server security as it stops automated attacks by blocking suspicious IP addresses before they can break in. This means your server isn’t wasting time and power dealing with these attacks, freeing up resources to serve other customers and keeping your server fast and responsive for real users.

System administrators love that Fail2Ban keeps detailed records of who tried to break in and when. These records help administrators spot patterns in attack attempts. The best part? You can easily tweak its rules to match your specific needs – whether you want to be super strict or a bit more lenient with login attempts. This flexibility makes Fail2Ban very useful in a number of different applications.

Suggested read: 10 Security Tips to Secure VPS Server in 2024? [Ultimate Guide]

How Does Fail2Ban Work?

Fail2Ban does its job through a clever but simple process. It reads your server’s log files in real time and scans for things like failed login attempts or suspicious requests. When it spots someone trying to log in with the wrong password too many times, it automatically blocks their IP address using your server’s firewall.

This blocking system works through what technicians call “jails” – separate security rules for different services on your server. Each jail acts like a security checkpoint, with its own set of rules about what’s suspicious, how many strikes before you’re blocked, and how long the timeout should last. You can set up these jails differently for each service according to your requirements.

Suggested read: 3 Ways to Fix Too Many Authentication Failures SSH Root? [SOLVED]

How to Set Up & Install Fail2Ban on Linux Ubuntu

In this section, we will explain how to set up and install Fail2Ban on your Ubuntu server.

Note: If you’re using RunCloud, you’re in luck! Fail2Ban comes pre-installed with all RunCloud servers, so you can skip the installation steps and jump straight to configuration.

Installing Fail2Ban

Installing Fail2Ban is as simple as it could be. First, you need to connect to your server’s terminal via SSH and update your package list by executing the following command

sudo apt update

Next, you can execute the following command to install Fail2Ban using Ubuntu’s package manager:

sudo apt install fail2ban -y

This command will install the necessary packages required for Fail2Ban. Once installation is finished, you can check if it is up and running by executing the following command:

sudo systemctl status fail2ban

Setting Up the Configuration Files

After installing the Fail2Ban system, you can create a local configuration file to store your custom settings. Execute the following command to create a local configuration:

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Next, you need to open the local configuration file with your favorite text editor. If this is your first time using a command-line editor, we recommend reading our blog post on editing files on remote servers with SSH and Nano.

sudo nano /etc/fail2ban/jail.local

Basic Configuration Settings

Once you open the configuration file, scroll down until you find the [DEFAULT] section and adjust these common settings:

bantime = 10m        # how long to ban an IP
findtime = 10m       # time window to look for attempts
maxretry = 5         # number of attempts before ban

The names of each setting in the configuration file are pretty self-explanatory, but if you need additional help, you can refer to Fail2Ban’s official documentation.

Suggested read: PHP Security – Best Practices To Secure Your Web App in 2024

Check Active Jails & Banned IPs

You can easily see all active jails and banned IPs on your server by executing the following command in your terminal:

sudo fail2ban-client status

Note: If you’re using RunCloud, you can see the list of banned IP addresses by navigating to the Security > Fail2Ban tab in your server settings.

Suggested read: 11 Alternatives To reCAPTCHA to Protect Your Site from Spam

Managing Banned IPs

You can view all banned IPs in a specific jail (such as SSH) by executing the following command:

sudo fail2ban-client status sshd

In the above example, we can see there is no banned IP on the sshd jail list. If you want to check a different jail, you can replace sshd with the name of that jail.

Suggested read: PHP Security – Best Practices To Secure Your Web App in 2024

Monitoring Fail2Ban Logs

Fail2Ban logs provide a real-time window into your server’s security by showing you exactly who’s trying to break in, when they attempted it, and whether they were successfully blocked. You can see these logs by either checking /var/log/fail2ban.log, or you can execute the following command to see the Fail2Ban logs in real time:

sudo tail -f /var/log/fail2ban.log

Suggested read: Best Practices to Secure a Docker Container

How to Configure Fail2Ban

Let’s see how to configure your Fail2Ban server to add and remove jails.

Pro Tip: If you’re using RunCloud, most of these configurations come pre-set with sensible defaults. RunCloud also provides an easy-to-use interface for monitoring banned IPs and managing your security settings without touching the command line.

Configuring SSH Protection

You can modify SSH jail settings in Fail2Ban to protect your server against brute-force attacks. This method monitors failed login attempts and automatically bans suspicious IPs that exceed the allowed retry limit.

RunCloud users don’t need to worry about manually configuring SSH protection as it comes pre-configured with optimal security settings. However, if you want to configure it manually, then you can modify the following parameters in your configuration file as per your requirement:

[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 24h

Suggested read: DKIM – What Is It & Why Your Emails Need It

Setting Up Multiple IP Ignoring

If you work in an organization, you may have a fixed set of IP addresses for different computers. You can whitelist multiple IP addresses for each of your devices – like your home office, development team, or content managers – to ensure that you never accidentally get banned from accessing your server.

You can execute the following command to add trusted IP addresses or CIDR blocks, but make sure to replace the provided IP address with your IP address:

# Under [DEFAULT]
ignoreip = 127.0.0.1/8 23.45.67.89 your.home.ip.here

Tip: Want to enhance your WordPress security while using Cloudflare? Check out our detailed guide on “How To Use Fail2Ban With WordPress And Cloudflare Proxy” to learn how to configure Fail2Ban correctly when your website is behind Cloudflare’s proxy. This guide specifically explains how to ensure Fail2Ban correctly identifies potential attackers’ real IP addresses instead of Cloudflare’s IPs.

Removing Banned IPs in Fail2Ban

If you accidentally fail too many login attempts, then you will need to wait for the cooldown period to be over before you can try to log in again. Or, if you are in a hurry, you can execute the following command to remove the provided IP address from the ban list:

sudo fail2ban-client set sshd unbanip 123.123.123.123

While you could use Fail2Ban commands directly, RunCloud makes this much easier through its intuitive dashboard. Just navigate to the ‘Security’ section, find the banned IP, and click to unban it – no command line is needed!

Read our post titled “How to Unban IP Address in Fail2Ban” to get step-by-step instructions.

Enable Recidive Jail

Recidive jail is like a “super ban” feature in Fail2Ban that tracks repeat offenders who continue to attack your server even after their initial ban expires. When an IP address gets banned multiple times within a specific timeframe, the recidive jail kicks in and implements a much longer ban duration (usually a week or more) to provide stronger protection against persistent attackers.

Think of it as Fail2Ban’s way of saying, “You’ve been warned multiple times, now you’re really not welcome here.”

It’s particularly effective against automated bots and aggressive attackers who might otherwise wait out shorter ban periods and resume their attacks.

You can enable it by adding the following code snippet to your configuration file:

[recidive]
enabled = true
filter = recidive
logpath = /var/log/fail2ban.log
bantime = 1w
findtime = 1d
maxretry = 3

Restart/Reload Fail2Ban

After you make any configuration changes, you must reload the settings for them to take effect. You can do this by running the following command in your terminal:

sudo systemctl reload fail2ban

Final Thoughts

In this comprehensive guide, we’ve covered everything from understanding Fail2Ban’s core functionality to its installation and configuration. We’ve seen how this powerful security tool can protect against brute-force attacks, suspicious activities, and potential security breaches.

But if all of this sounds complicated, you’ll be delighted to know that you don’t need to be a Linux expert to implement robust server security anymore.

RunCloud makes server security accessible to everyone by including Fail2Ban pre-installed and pre-configured on all servers.

But that’s just the beginning of RunCloud’s security features.

You get SSH key vaults, automated SSL certificate management, web application firewall (WAF) rules, and real-time security monitoring – all managed through an intuitive dashboard. Imagine handling IP bans, checking security logs, and managing firewall rules with just a few clicks instead of complex command lines!

Ready to Secure Your Server?

Start your free RunCloud trial today and experience how easy server management can be. With plans starting from as little as the cost of a dinner per month, you get enterprise-grade security features without the enterprise-level complexity.

FAQs on Fail2Ban