Fail2Ban is an open-source IDS blocking IPs after N failed attempts. Linux-server security standard. Protects: SSH brute-force, web-app login bruteforce, CMS scanning. Setup in 30 min: apt install fail2ban → jail.local → restart. Supports iptables + nftables + firewalld.
Below: step-by-step, working examples, common pitfalls, FAQ.
Free online tool — website security scanner: instant results, no signup.
apt install fail2ban (Debian/Ubuntu) or yum install fail2ban (RHEL)cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local[DEFAULT] bantime = 3600; findtime = 600; maxretry = 3[sshd] enabled = truesystemctl restart fail2banfail2ban-client status sshd shows banned IPs + stats| Scenario | Config |
|---|---|
| /etc/fail2ban/jail.local (SSH) | [sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 3600 |
| Custom filter for nginx login | # /etc/fail2ban/filter.d/nginx-login.conf
[Definition]
failregex = .*POST /login HTTP.* 401
ignoreregex = |
| Enable nginx-login jail | [nginx-login]
enabled = true
port = http,https
filter = nginx-login
logpath = /var/log/nginx/access.log
maxretry = 5
findtime = 300
bantime = 1800 |
| Unban IP manually | fail2ban-client set sshd unbanip 1.2.3.4 |
| Telegram alerts on ban | action = %(action_mwl)s + telegram-action # custom action |
To set up Fail2Ban for brute-force defense, install it using your package manager (e.g., sudo apt install fail2ban on Ubuntu). Configure the jail settings in /etc/fail2ban/jail.local to specify monitored services and ban durations. Start the service with sudo systemctl start fail2ban and enable it at boot using sudo systemctl enable fail2ban. Regularly check logs with fail2ban-client status to monitor activity.
Fail2Ban is a powerful tool designed to prevent brute-force attacks by monitoring log files and banning IP addresses that exhibit suspicious behavior. To install Fail2Ban, follow these steps:
Update your package index by running:
sudo apt updateInstall Fail2Ban using your package manager:
sudo apt install fail2banOnce installed, check that Fail2Ban is active by running:
sudo systemctl status fail2banUpon successful installation, Fail2Ban will start with a default configuration that monitors several services, including SSH. However, to tailor it to your specific needs, you should create a local configuration file.
To do this:
Copy the default configuration file to create a local configuration:
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.localEdit the local configuration file using your preferred text editor:
sudo nano /etc/fail2ban/jail.localIn the jail.local file, you can enable or disable jails for specific services. For example, to enable SSH protection, ensure the following section is uncommented:
[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 5
bantime = 600Here, maxretry specifies the number of failed login attempts before an IP is banned, and bantime defines how long the ban lasts in seconds (600 seconds equals 10 minutes).
After saving your changes, restart the Fail2Ban service to apply the new settings:
sudo systemctl restart fail2banThe tool checks HTTP security headers, SSL/TLS configuration, server info leaks, and protection against common attacks (XSS, clickjacking, MIME sniffing). A grade fromA to F shows overall security level.
Checking Content-Security-Policy, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and more.
TLS version, certificate expiry, chain of trust, HSTS support.
Finding exposed server versions, debug modes, open configs, and directories.
Detailed report explaining each issue with specific steps to fix it.
HTTP header audit
config verification
CSP & HSTS setup
compliance checks
Strict-Transport-Security.Server: Apache/2.4.52 helps attackers find exploits. Hide the version.DENY or SAMEORIGIN.nosniff, browsers may misinterpret file types (MIME sniffing).Content-Security-Policy-Report-Only, monitor violations, then enforce.Server, X-Powered-By, X-AspNet-Version from responses.Security check history and HTTP security header monitoring.
Sign up freeYes, if your iptables/nftables v6 support is enabled. <code>fail2ban-client status</code> shows mixed v4/v6 bans.
Theoretically yes if maxretry is low. Mitigation: sensible maxretry (3-5), bantime not too long (1-24 h), ignoreip for known IPs.
CrowdSec — modern alternative with community threat feed. Fail2Ban still simpler for single-server setups.
<code>fail2ban-client status [jail]</code> or parse <code>/var/log/fail2ban.log</code>. For Enterno <a href="/en/security">Security Scanner</a> shows security posture.
Free plan — 10 monitors, checks every 5 min, no card required. Upgrade for 1-minute interval and multi-region monitoring.