Brute force attacks on SSH, mail and web services are a constant threat to any internet-facing server. Fail2Ban is a powerful, lightweight tool that helps mitigate these attacks by automatically banning IPs that exhibit malicious behavior.
In this guide, weβll walk through the complete installation and configuration of Fail2Ban on a Linux server to secure SSH and Postfix (mail server). Weβll also set up email alerts and configure persistent bans.
π§° Prerequisites
- A Linux server (Debian/Ubuntu or CentOS/RHEL)
- Root or sudo access
- SSH access to the server
- (Optional) A mail server (Postfix) if you want to monitor email service
π οΈ 1. Update System Packages
Before installing anything, make sure your package manager is up-to-date.
sudo apt update && sudo apt upgrade -y # For Debian/Ubuntu
# or
sudo yum update -y # For CentOS/RHEL
π¦ 2. Install Fail2Ban and Dependencies
Install Fail2Ban using your systemβs package manager:
sudo apt install -y fail2ban # Debian/Ubuntu
# or
sudo yum install -y fail2ban # CentOS/RHEL
π 3. Create Custom Jail Configuration
Fail2Ban uses jails to define which services to monitor. Letβs back up the default config and create a custom one.
Backup the Default Config
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Modify Basic Settings
Set a 24-hour ban time, 10-minute find time, and allow a maximum of 5 retries:
sudo sed -i 's/bantime = 10m/bantime = 24h/;s/findtime = 10m/findtime = 600/;s/maxretry = 5/maxretry = 5/' /etc/fail2ban/jail.local
π 4. Configure Jails for SSH and Postfix
Now, letβs create a separate jail configuration file:
sudo tee /etc/fail2ban/jail.d/custom.conf << 'EOF'
[sshd]
enabled = true
port = 22
filter = sshd
logpath = /var/log/auth.log
maxretry = 5
[postfix]
enabled = true
port = 25
filter = postfix
logpath = /var/log/mail.log
maxretry = 5
EOF
π§ 5. Configure Email Notifications
Ensure mailutils is installed and the mail command is available:
which mail
# Should return: /usr/bin/mail
Then, add your email settings in jail.local:
sudo tee -a /etc/fail2ban/jail.local << 'EOF'
[DEFAULT]
banaction = iptables-multiport
banaction_allports = iptables-allports
loglevel = DEBUG
ignoreself = false
action = %(action_mwl)s
sender = fail2ban@yourdomain.com
destemail = admin@yourdomain.com
mta = sendmail
EOF
Replace yourdomain.com and the email addresses with your actual values.
π 6. Enable and Start Fail2Ban
Enable the service to start on boot and start it now:
sudo systemctl enable fail2ban
sudo systemctl start fail2ban
sudo systemctl status fail2ban
Restart Fail2Ban to Apply All Changes
sudo systemctl restart fail2ban
π§ͺ 7. Testing & Monitoring
Simulate a Ban
Try multiple failed SSH login attempts from another IP.
Check Logs
sudo tail -f /var/log/fail2ban.log
View Real-Time Jail Status
sudo fail2ban-client status sshd
Unban an IP
sudo fail2ban-client set sshd unbanip <IP_ADDRESS>
π§ Optional: Adjust UFW if Installed
If you use ufw, remove conflicting rules and allow SSH manually:
sudo ufw delete limit 22/tcp
sudo ufw delete limit 22/tcp "v6"
sudo ufw allow 22/tcp
β Summary
Hereβs what weβve accomplished:
- β Updated system packages
- β Installed and configured Fail2Ban
- β Created custom jails for SSH and Postfix
- β Set ban time (24h), find time (10m), max retry (5)
- β Configured email alerts
- β Enabled persistent bans and logging
- β Tested the setup
Your server is now better protected against brute force attacks. π
π Next Steps
- Add additional jails (e.g., Nginx, Apache) if you run web servers
- Whitelist internal or VPN IPs (/etc/fail2ban/jail.d/whitelist.conf)
- Monitor logs regularly for suspicious activity
- Fine-tune thresholds if you experience false positives
Stay safe and secure! π
Top comments (0)