Skip to main content

Defending Linux against Brute-Force Attacks (Fail2Ban)

Brute-force attacks are automated attempts to guess your server's password by trying thousands of combinations per minute. To protect your SSH service, we recommend installing **Fail2Ban**.

Fail2Ban monitors your log files. If it detects too many failed login attempts from a specific IP address within a short time, it updates the firewall to temporarily ban that IP.

[Image of firewall allowing traffic]

1. Installation

AlmaLinux / Rocky Linux / CentOS 8+

These systems use the dnf package manager. You must enable the EPEL repository first.

sudo dnf update -y
sudo dnf install epel-release -y
sudo dnf install fail2ban -y

Ubuntu / Debian

Fail2Ban is available in the default repositories.

sudo apt update
sudo apt install fail2ban -y

2. Configuration (The jail.local file)

Fail2Ban comes with a default config file (jail.conf), but you should never edit this file directly, as it gets overwritten during updates.

Instead, create a local copy called jail.local.

1. Create the file:

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo nano /etc/fail2ban/jail.local

2. Find the [DEFAULT] section and adjust the settings to your needs. Then, verify the [sshd] section is enabled.

[DEFAULT]
# Whitelist your own IP (space separated) to prevent locking yourself out!
ignoreip = 127.0.0.1/8 ::1 1.2.3.4

# How long should an IP be banned? (e.g. 1 day = 86400 seconds)
bantime = 86400

# How many failures are allowed before banning?
maxretry = 3

# Within what timeframe should we count the failures? (e.g. 10 minutes)
findtime = 600

[sshd]
enabled = true

3. Save the file and restart the service to apply changes:

sudo systemctl enable fail2ban
sudo systemctl restart fail2ban
Important:
Always add your office/home static IP to the ignoreip line. This prevents you from accidentally banning yourself if you type a wrong password.

3. Monitoring & Managing Bans

Check Status

To see how many IPs are currently banned:

sudo fail2ban-client status sshd
Fail2Ban status output example

How to Unban an IP

If you or a colleague accidentally got blocked, you can manually remove the ban using the client.

# Syntax: fail2ban-client set [Jail Name] unbanip [IP Address]
sudo fail2ban-client set sshd unbanip 192.168.1.50