Back to Posts


Posted in Defense

Networks Engineered to Exploit.
- Windows/UNIX - Domains/Subnets - Initial/Post/Lateral - Low Cost VPN Ranges -

Fail2ban Quick Guide

Fail2ban is an excellent tool to protect your webserver from brute force attacks - and it’s a definite must if you allow password authentication through ssh. It’ll monitor various log files on your system, the use your firewall to “jail” or temporarily ban an IP.

It’s also beneficial to stop distributed brute force attacks that may bog down your lightweight VPS. Installation and configuration is fairly straight forward.

Fail2ban homepage

Installation on CentOS

root@centos:~# rpm -Uvh \
root@centos:~# yum install fail2ban


root@ubuntu:~# apt-get install fail2ban

Once installed, make a copy of the config file and edit.

root@centos:~# cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
root@centos:~# nano /etc/fail2ban/jail.local

The config file is mostly self-explanatory. Make sure to go over the entire config file, but I’ll explain the important bits below.

ignoreip = #Acts as a whitelist - you may also add any trusted IPs here.
bantime = 4000 #how many seconds will the IP be banned for.
maxretry = 4 #how many tries will IP get before being banned.

Lastly, to protect against any ssh brute force attempts the [ssh] section can be edited. The default config works out of the box, but check it over, especially if your ssh log file directory is non-default.

Restart after editing the config file.

root@centos:~# service fail2ban restart

You can check the fail2ban log and your iptables for banned ip’s…

root@centos:~# sudo zgrep 'Ban:' /var/log/fail2ban.log*
root@centos:~# iptables -L INPUT -v -n

Keep in mind fail2ban temporarily bans ip’s, so you may see conflicting results when looking in the ssh log, iptables fail2ban log, etc.

Custom Cyber Ranges >>

Read Next