Master Fail2Ban: Step-by-Step Installation, Configuration, and Testing on Linux

This guide walks you through downloading, installing, configuring, and testing Fail2Ban on a Linux system, covering essential parameters, SSH jail setup, custom actions, filter editing, and command‑line utilities for managing bans and logs.

MaGe Linux Operations
MaGe Linux Operations
MaGe Linux Operations
Master Fail2Ban: Step-by-Step Installation, Configuration, and Testing on Linux

Fail2Ban Installation and Configuration Guide

Download the Fail2Ban source package, extract it, and install it using Python:

# wget http://cdnetworks-kr-2.dl.sourceforge.net/project/fail2ban/fail2ban-stable/fail2ban-0.8.4/fail2ban-0.8.4.tar.bz2
# tar xvfj fail2ban-0.8.4.tar.bz2
# cd fail2ban-0.8.4
# python setup.py install

Copy the init script and enable the service:

# cd files
# cp ./redhat-initd /etc/init.d/fail2ban
# chkconfig --add fail2ban
# service fail2ban start

Note: If iptables is restarted, Fail2Ban must be restarted as well because its filter tables are added after iptables starts.

Basic Configuration (fail2ban.conf)

The default fail2ban.conf contains only three parameters: loglevel = 3 – default log level. logtarget = /var/log/fail2ban.log – log file location. socket = /tmp/fail2ban.sock – socket path.

Jail Configuration (jail.conf) – Example for SSH

In jail.conf each service is defined in a section. The [ssh-iptables] section protects SSH via iptables:

[ssh-iptables]
enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
        mail-whois[name=SSH, dest=root]
logpath = /var/log/secure
ignoreip = 127.0.0.1 172.13.14.15
bantime = 600
findtime = 600
maxretry = 3
backend = auto

Key options: ignoreip – IPs that will never be banned. bantime – duration of a ban (seconds). findtime – time window for counting failures. maxretry – number of allowed failures before banning.

Starting and Testing Fail2Ban

Start the daemon: /etc/init.d/fail2ban start Check the status of the SSH jail: fail2ban-client status ssh-iptables The command prints the number of currently banned IPs, total bans, and filter statistics.

Runtime Adjustments with fail2ban-client

You can modify parameters without editing files, e.g., extend the ban time to one day: fail2ban-client set ssh-iptables bantime 86400 Reload the configuration after changes:

fail2ban-client reload

Customizing Actions and Filters

To change how Fail2Ban inserts iptables rules, edit the appropriate action file in action.d. For example, moving the Fail2Ban rule to the second position in the INPUT chain:

iptables -I INPUT 2 -p <protocol> --dport <port> -j fail2ban-<action>

Filters are regular‑expression files located in filter.d. The default sshd.conf contains patterns such as:

[Definition]
failregex = Authentication failure for .* from
           Failed [-/\w]+ for .* from
           ROOT LOGIN REFUSED .* FROM
           [iI](?:llegal|nvalid) user .* from
ignoreregex =

Modify or extend these patterns to match your SSH daemon’s log format.

After the configuration is active, Fail2Ban logs bans and unbans in /var/log/fail2ban.log, showing timestamps, jail names, and affected IP addresses.

securitySystem AdministrationiptablesSSHFail2Ban
MaGe Linux Operations
Written by

MaGe Linux Operations

Founded in 2009, MaGe Education is a top Chinese high‑end IT training brand. Its graduates earn 12K+ RMB salaries, and the school has trained tens of thousands of students. It offers high‑pay courses in Linux cloud operations, Python full‑stack, automation, data analysis, AI, and Go high‑concurrency architecture. Thanks to quality courses and a solid reputation, it has talent partnerships with numerous internet firms.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.