Skip to content

How to Configure Fail2Ban for Server Defence

Key idea:

Fail2Ban is an open-source IDS blocking IPs after N failed attempts. Linux-server security standard. Protects: SSH brute-force, web-app login bruteforce, CMS scanning. Setup in 30 min: apt install fail2ban → jail.local → restart. Supports iptables + nftables + firewalld.

Below: step-by-step, working examples, common pitfalls, FAQ.

Check your site's security →

Step-by-Step Setup

  1. Install: apt install fail2ban (Debian/Ubuntu) or yum install fail2ban (RHEL)
  2. Copy: cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
  3. In jail.local: [DEFAULT] bantime = 3600; findtime = 600; maxretry = 3
  4. Enable SSH jail: [sshd] enabled = true
  5. For web app: create a custom filter in /etc/fail2ban/filter.d/myapp.conf
  6. Restart: systemctl restart fail2ban
  7. Monitor: fail2ban-client status sshd shows banned IPs + stats

Working Examples

ScenarioConfig
/etc/fail2ban/jail.local (SSH)[sshd] enabled = true port = ssh filter = sshd logpath = /var/log/auth.log maxretry = 3 bantime = 3600
Custom filter for nginx login# /etc/fail2ban/filter.d/nginx-login.conf [Definition] failregex = .*POST /login HTTP.* 401 ignoreregex =
Enable nginx-login jail[nginx-login] enabled = true port = http,https filter = nginx-login logpath = /var/log/nginx/access.log maxretry = 5 findtime = 300 bantime = 1800
Unban IP manuallyfail2ban-client set sshd unbanip 1.2.3.4
Telegram alerts on banaction = %(action_mwl)s + telegram-action # custom action

Common Pitfalls

  • Forgot ignoreip with your admin IP — you get banned
  • bantime = 1h vs aggressive bots = they return every hour with a fresh IP
  • maxretry = 10 — too liberal for SSH (attacker gets 10 password tries)
  • No persistent banning — restart wipes bans (default behaviour)
  • nginx log format differs from default fail2ban filter — nothing banned

TL;DR: Setting Up Fail2Ban

To set up Fail2Ban for brute-force defense, install it using your package manager (e.g., sudo apt install fail2ban on Ubuntu). Configure the jail settings in /etc/fail2ban/jail.local to specify monitored services and ban durations. Start the service with sudo systemctl start fail2ban and enable it at boot using sudo systemctl enable fail2ban. Regularly check logs with fail2ban-client status to monitor activity.

Installing Fail2Ban

Fail2Ban is a powerful tool designed to prevent brute-force attacks by monitoring log files and banning IP addresses that exhibit suspicious behavior. To install Fail2Ban, follow these steps:

  1. Update your package index by running:

    sudo apt update
  2. Install Fail2Ban using your package manager:

    sudo apt install fail2ban
  3. Once installed, check that Fail2Ban is active by running:

    sudo systemctl status fail2ban

Upon successful installation, Fail2Ban will start with a default configuration that monitors several services, including SSH. However, to tailor it to your specific needs, you should create a local configuration file.

To do this:

  1. Copy the default configuration file to create a local configuration:

    sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
  2. Edit the local configuration file using your preferred text editor:

    sudo nano /etc/fail2ban/jail.local

In the jail.local file, you can enable or disable jails for specific services. For example, to enable SSH protection, ensure the following section is uncommented:

[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 5
bantime = 600

Here, maxretry specifies the number of failed login attempts before an IP is banned, and bantime defines how long the ban lasts in seconds (600 seconds equals 10 minutes).

After saving your changes, restart the Fail2Ban service to apply the new settings:

sudo systemctl restart fail2ban

HeadersCSP, HSTS, X-Frame-Options, etc.
SSL/TLSEncryption and certificate
ConfigurationServer settings and leaks
Grade A-FOverall security score

Why teams trust us

OWASP
guidelines
15+
security headers
<2s
result
A–F
security grade

How it works

1

Enter site URL

2

Security headers analyzed

3

Get grade A–F

What Does the Security Analysis Check?

The tool checks HTTP security headers, SSL/TLS configuration, server info leaks, and protection against common attacks (XSS, clickjacking, MIME sniffing). A grade fromA to F shows overall security level.

Header Analysis

Checking Content-Security-Policy, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and more.

SSL Check

TLS version, certificate expiry, chain of trust, HSTS support.

Leak Detection

Finding exposed server versions, debug modes, open configs, and directories.

Report with Recommendations

Detailed report explaining each issue with specific steps to fix it.

Who uses this

Security teams

HTTP header audit

DevOps

config verification

Developers

CSP & HSTS setup

Auditors

compliance checks

Common Mistakes

Missing Content-Security-PolicyCSP is the primary XSS defense. Without it, script injection is much easier.
Missing HSTS headerWithout HSTS, HTTPS-to-HTTP downgrade attacks are possible. Enable Strict-Transport-Security.
Server header exposes versionServer: Apache/2.4.52 helps attackers find exploits. Hide the version.
X-Frame-Options not setSite can be embedded in iframe for clickjacking. Set DENY or SAMEORIGIN.
Missing X-Content-Type-OptionsWithout nosniff, browsers may misinterpret file types (MIME sniffing).

Best Practices

Start with basic headersMinimum: HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy. Takes 5 minutes.
Implement CSP graduallyStart with Content-Security-Policy-Report-Only, monitor violations, then enforce.
Hide server headersRemove Server, X-Powered-By, X-AspNet-Version from responses.
Configure Permissions-PolicyRestrict camera, microphone, geolocation access — only what is actually used.
Check after every deploySecurity headers can be overwritten during server configuration updates.

Get more with a free account

Security check history and HTTP security header monitoring.

Sign up free

Learn more

Frequently Asked Questions

Does Fail2Ban block IPv6?

Yes, if your iptables/nftables v6 support is enabled. <code>fail2ban-client status</code> shows mixed v4/v6 bans.

Will it block legitimate users?

Theoretically yes if maxretry is low. Mitigation: sensible maxretry (3-5), bantime not too long (1-24 h), ignoreip for known IPs.

Fail2Ban replacement?

CrowdSec — modern alternative with community threat feed. Fail2Ban still simpler for single-server setups.

How to monitor banned IPs?

<code>fail2ban-client status [jail]</code> or parse <code>/var/log/fail2ban.log</code>. For Enterno <a href="/en/security">Security Scanner</a> shows security posture.

Try the live tool that powered this guide

Free plan — 10 monitors, checks every 5 min, no card required. Upgrade for 1-minute interval and multi-region monitoring.