Operation and Maintenance
Linux Operation and Maintenance
How to set up Fail2Ban to protect SSH on Linux
How to set up Fail2Ban to protect SSH on Linux
Install Fail2Ban using apt or dnf, start and enable the service. 2. Create jail.local from jail.conf and configure [sshd] with enabled=true, correct logpath, maxretry=3, bantime=3600, findtime=600. 3. Verify with fail2ban-client status sshd and monitor logs to confirm protection against SSH brute-force attacks.
Protecting your SSH service from brute-force attacks is essential when running a Linux server exposed to the internet. Fail2Ban is a powerful tool that monitors log files and automatically blocks suspicious IP addresses using firewall rules. Here's how to set it up to secure SSH on a typical Linux system.
Install Fail2Ban
Most modern Linux distributions include Fail2Ban in their package repositories.
- On Debian/Ubuntu: sudo apt install fail2ban
- On CentOS/RHEL/Rocky Linux: sudo dnf install fail2ban (or yum install fail2ban on older versions)
After installation, start and enable the service so it runs at boot:
sudo systemctl enable fail2bansudo systemctl start fail2ban
Configure Fail2Ban for SSH
Fail2Ban uses configuration files located in /etc/fail2ban/. The main configuration is in jail.conf, but you should avoid editing it directly. Instead, create a local override file:
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.localEdit the local file:
sudo nano /etc/fail2ban/jail.localFind the [sshd] section and ensure it’s enabled:
[sshd] enabled = true port = ssh filter = sshd logpath = /var/log/auth.log maxretry = 3 bantime = 3600 findtime = 600
Explanation of key options:
- maxretry: Number of failed attempts before banning (3 is recommended)
- bantime: How long (in seconds) to block the IP (3600 = 1 hour)
- findtime: Window in which retries are counted (600 = 10 minutes)
- logpath: Path to SSH authentication logs (varies by distro; Debian/Ubuntu use /var/log/auth.log, RHEL/CentOS use /var/log/secure)
If you're on RHEL-based system, update logpath = /var/log/secure.
Verify and Monitor Protection
Check if the SSH jail is active:
sudo fail2ban-client status sshdThis shows how many IP addresses are currently banned.
To view recent bans or debug issues:
sudo tail -f /var/log/fail2ban.logYou can also test by intentionally failing SSH login a few times from another machine (not your only access). After three failures, the IP should be blocked.
To unban an IP manually (if needed):
sudo fail2ban-client set sshd unbanip YOUR.IP.ADDRESS.HEREFail2Ban works with iptables by default, but supports nftables and firewalld depending on your system. As long as the backend detects your firewall correctly, rules will be applied automatically.
Basically just install, configure the jail.local file, and let Fail2Ban run. It’s simple to set up and dramatically improves SSH security against automated attacks.
The above is the detailed content of How to set up Fail2Ban to protect SSH on Linux. For more information, please follow other related articles on the PHP Chinese website!
Hot AI Tools
Undress AI Tool
Undress images for free
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undresser.AI Undress
AI-powered app for creating realistic nude photos
ArtGPT
AI image generator for creative art from text prompts.
Stock Market GPT
AI powered investment research for smarter decisions
Hot Article
Popular tool
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
20528
7
13637
4
How to setup file sharing using Samba on Linux? (SMB Protocol)
Mar 13, 2026 am 12:33 AM
The main reason why Windows cannot see the Samba share is that the firewall blocks UDP137–139/TCP445 or NetBIOS name resolution fails; it is necessary to confirm that the workgroup is consistent, the interfaces are configured correctly, the file permissions match forceuser/forcegroup, and set doscharset=UTF-8 to solve Chinese garbled characters.
How to extend a Logical Volume (LVM) in Linux without downtime?
Mar 13, 2026 am 12:53 AM
Logical volumes and file systems can be expanded online. You need to expand the LV first and then the file system. It is recommended to use lvextend-r for automatic synchronization adjustment, but you must ensure that the LVM and file system tool versions are compatible.
How to check open ports and listening services in Linux? (Netstat & SS)
Mar 10, 2026 am 01:08 AM
Netstat displays fewer LISTEN ports than ss because it does not display process information by default that non-root users do not have access to; ss can read all listening sockets by default without process names, and sudonetstat-tulpn is required to display them completely.
How to format disk partitions using the command line in Linux?
Mar 15, 2026 am 12:01 AM
When fdisk is stuck at the Command prompt, it is normally waiting for input. Enter q to exit safely; you must umount before mkfs, otherwise it may fail silently; partedmkpart does not support the specified file system type, and mkfs needs to be executed separately.
How to set up SSH key authentication on Linux? (Passwordless Login)
Mar 11, 2026 am 12:46 AM
It is recommended to use ssh-keygen-ted25519 to generate a key pair, because it is faster, more secure, and has a shorter key than the default RSA; it is necessary to strictly set the ~/.ssh directory permissions to 700 and authorized_keys to 600, and use ssh-v to confirm whether the client is Offering public key and whether the server rejects it.
How to configure a static IP address on Linux? (Netplan & NetworkManager)
Mar 14, 2026 am 12:02 AM
Netplan reports "InvalidYAML" when configuring a static IP due to indentation errors, missing spaces after colons, or mixed tabs; gateway4 has been deprecated and routes to:default must be used instead; NetworkManager needs to be modified before down/up takes effect; the renderer field is used to determine the backend during coexistence; incorrect DNS configuration will cause ping to succeed but curl to fail.
How to enable and configure remote desktop access on Linux? (VNC & XRDP)
Mar 16, 2026 am 12:06 AM
The applicable scenarios of VNC and XRDP are different: VNC is suitable for complete graphics, multi-user, and cross-platform. Tigervnc-server is recommended and xstartup and port are correctly configured;
How to change the default SSH port in Linux to prevent attacks?
Mar 16, 2026 am 12:22 AM
ChangingSSHportreducesnoisebutisn’trealsecurity;properauthhardeningisessential.Edit/etc/ssh/sshd_configwithPort2222,updatefirewall/SELinux/cloudrules,andtestincrementallyusingreload—notrestart—toavoidlockout.
