How to Install Fail2Ban to Protect Your Linux Server? (Configuration Example)

Three-step method to install and configure Fail2Ban: first use apt to install and enable the service; then securely configure SSH protection through jail.local (enable, set maxretry=3, bantime=1h, findtime=10m, ignoreip including local IP); finally restart the test to avoid locking up due to direct changes to jail.conf or missing ignoreip.

Fail2Ban is a powerful intrusion prevention tool that monitors log files for suspicious activity and automatically blocks malicious IP addresses using firewall rules. Installing and configuring it on your Linux server is straightforward — here's how to do it with a practical, working example.

Install Fail2Ban on Debian/Ubuntu

On Debian-based systems, run:

 sudo apt update && sudo apt install fail2ban -y

That's it — the package includes default configs and starts the service automatically. You can verify it's running with:

 sudo systemctl status fail2ban

Configure Fail2Ban Safely (Don't Lock Yourself Out)

Never edit /etc/fail2ban/jail.conf directly — always use jail.local instead. Create or edit it:

 sudo nano /etc/fail2ban/jail.local

Add this minimal but effective setup for SSH protection:

 [sshd]
enabled = true
port=ssh
logpath = %(sshd_log)s
maxretry = 3
bantime=1h
findtime=10m
ignoreip = 127.0.0.1/8 ::1 YOUR_TRUSTED_IP

Replace YOUR_TRUSTED_IP with your own IP (or subnet) to avoid accidental lockout. The settings mean: ban after 3 failed attempts within 10 minutes, for 1 hour.

Enable and Test the Configuration

Restart Fail2Ban to apply changes:

 sudo systemctl restart fail2ban

Check active jails and bans:

• sudo fail2ban-client status — shows enabled jails
• sudo fail2ban-client status sshd — lists banned IPs for SSH
• sudo tail -f /var/log/fail2ban.log — watch real-time events

To test safely, try logging in with wrong credentials from another machine (not your main admin IP). After 3 failures, the IP should appear in the ban list.

Optional: Add Custom Filter for Nginx or Apache

If you run a web server, create a custom filter to block repeated 404s or login brute-forcing. For example, save this as /etc/fail2ban/filter.d/nginx-badbots.conf :

 [Definition]
failregex = ^<HOST>.*"(GET|POST).*HTTP\/[0-9] \.[0-9] " 404
ignoreregex=

Then enable it in jail.local :

 [nginx-badbots]
enabled = true
filter = nginx-badbots
logpath = /var/log/nginx/access.log
maxretry=5
bantime = 1d

This bans IPs hitting 5 non-existent pages in one go — useful against scanners and bots.

Basically just three steps: install, configure jail.local with safe values, then test. It's not complex — but skipping the ignoreip step or editing jail.conf directly is where most people get locked out.

The above is the detailed content of How to Install Fail2Ban to Protect Your Linux Server? (Configuration Example). For more information, please follow other related articles on the PHP Chinese website!