Linux on Personal Blogs for Fernwehhttps://blog.codeglimpse.top/en/tags/linux/Recent content in Linux on Personal Blogs for FernwehHugo -- gohugo.ioenWed, 01 Apr 2026 15:00:00 +0800Protect Your Linux Server with Fail2banhttps://blog.codeglimpse.top/en/p/protect-your-linux-server-with-fail2ban/Wed, 01 Apr 2026 15:00:00 +0800https://blog.codeglimpse.top/en/p/protect-your-linux-server-with-fail2ban/<h2 id="what-is-fail2ban">What is Fail2ban? </h2><p>Fail2ban is an intrusion prevention software framework that protects computer servers from brute-force attacks. It works by scanning log files (e.g., <code>/var/log/auth.log</code>) and banning IP addresses that show malicious signs, such as too many password failures, seeking for exploits, etc.</p> <h2 id="installing-fail2ban">Installing Fail2ban </h2><p>Choose the installation method according to your Linux distribution.</p> <h3 id="1-using-package-manager">1. Using Package Manager </h3><h4 id="debian--ubuntu">Debian / Ubuntu </h4><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">sudo apt update </span></span><span class="line"><span class="cl">sudo apt install fail2ban </span></span></code></pre></td></tr></table> </div> </div><h4 id="centos--rhel-using-yum-or-dnf">CentOS / RHEL (Using yum or dnf) </h4><p>On CentOS/RHEL, you typically need to install the EPEL repository first:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># CentOS 7</span> </span></span><span class="line"><span class="cl">sudo yum install epel-release </span></span><span class="line"><span class="cl">sudo yum install fail2ban </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># CentOS 8 / RHEL 8 / Fedora (Using dnf)</span> </span></span><span class="line"><span class="cl">sudo dnf install epel-release </span></span><span class="line"><span class="cl">sudo dnf install fail2ban </span></span></code></pre></td></tr></table> </div> </div><h3 id="2-from-source-targz">2. From Source (tar.gz) </h3><p>If you need a specific version or your distribution doesn&rsquo;t provide a package, you can install from source:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Download source (replace with the latest version link)</span> </span></span><span class="line"><span class="cl">wget https://github.com/fail2ban/fail2ban/archive/refs/tags/1.0.2.tar.gz </span></span><span class="line"><span class="cl">tar -xvzf 1.0.2.tar.gz </span></span><span class="line"><span class="cl"><span class="nb">cd</span> fail2ban-1.0.2 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Install</span> </span></span><span class="line"><span class="cl">sudo python3 setup.py install </span></span></code></pre></td></tr></table> </div> </div><p><em>Note: Source installation typically requires manual configuration of systemd service files and log paths.</em></p> <p>After installation, it is recommended to set Fail2ban to start on boot:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">sudo systemctl <span class="nb">enable</span> fail2ban </span></span><span class="line"><span class="cl">sudo systemctl start fail2ban </span></span></code></pre></td></tr></table> </div> </div><h2 id="configuring-fail2ban">Configuring Fail2ban </h2><p>The default configuration file for Fail2ban is <code>/etc/fail2ban/jail.conf</code>. However, it&rsquo;s not recommended to modify this file directly, as it may be overwritten during package upgrades. Instead, you should create a local configuration file, <code>/etc/fail2ban/jail.local</code>, or new <code>.conf</code> files in the <code>/etc/fail2ban/jail.d/</code> directory to override the defaults.</p> <h3 id="create-a-local-configuration-file">Create a Local Configuration File </h3><p>First, copy <code>jail.conf</code> to <code>jail.local</code>:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local </span></span></code></pre></td></tr></table> </div> </div><p>Now you can safely edit the <code>jail.local</code> file.</p> <h3 id="configure-ssh-protection">Configure SSH Protection </h3><p>Open the <code>/etc/fail2ban/jail.local</code> file and find the <code>[sshd]</code> section. You can customize the following parameters as needed:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-ini" data-lang="ini"><span class="line"><span class="cl"><span class="k">[sshd]</span> </span></span><span class="line"><span class="cl"><span class="na">enabled</span> <span class="o">=</span> <span class="s">true</span> </span></span><span class="line"><span class="cl"><span class="na">port</span> <span class="o">=</span> <span class="s">ssh</span> </span></span><span class="line"><span class="cl"><span class="na">logpath</span> <span class="o">=</span> <span class="s">%(sshd_log)s</span> </span></span><span class="line"><span class="cl"><span class="na">backend</span> <span class="o">=</span> <span class="s">%(sshd_backend)s</span> </span></span><span class="line"><span class="cl"><span class="na">maxretry</span> <span class="o">=</span> <span class="s">5</span> </span></span><span class="line"><span class="cl"><span class="na">findtime</span> <span class="o">=</span> <span class="s">10m</span> </span></span><span class="line"><span class="cl"><span class="na">bantime</span> <span class="o">=</span> <span class="s">1d</span> </span></span></code></pre></td></tr></table> </div> </div><ul> <li><code>enabled</code>: <code>true</code> enables this jail.</li> <li><code>port</code>: The port for the SSH service.</li> <li><code>logpath</code>: The path to the SSH authentication log file.</li> <li><code>maxretry</code>: The number of failures before a ban is imposed.</li> <li><code>findtime</code>: The time window during which the failures must occur.</li> <li><code>bantime</code>: The duration for which the IP address is banned. <code>1d</code> means one day.</li> </ul> <h3 id="more-practical-scenarios">More Practical Scenarios </h3><p>In addition to SSH, Fail2ban can protect many other services. Add the following to <code>jail.local</code>:</p> <h4 id="nginx-prevention-of-malicious-scans-too-many-404-errors">Nginx Prevention of Malicious Scans (Too many 404 errors) </h4><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-ini" data-lang="ini"><span class="line"><span class="cl"><span class="k">[nginx-404]</span> </span></span><span class="line"><span class="cl"><span class="na">enabled</span> <span class="o">=</span> <span class="s">true</span> </span></span><span class="line"><span class="cl"><span class="na">port</span> <span class="o">=</span> <span class="s">http,https</span> </span></span><span class="line"><span class="cl"><span class="na">filter</span> <span class="o">=</span> <span class="s">nginx-404</span> </span></span><span class="line"><span class="cl"><span class="na">logpath</span> <span class="o">=</span> <span class="s">/var/log/nginx/access.log</span> </span></span><span class="line"><span class="cl"><span class="na">findtime</span> <span class="o">=</span> <span class="s">600</span> </span></span><span class="line"><span class="cl"><span class="na">maxretry</span> <span class="o">=</span> <span class="s">5</span> </span></span><span class="line"><span class="cl"><span class="na">bantime</span> <span class="o">=</span> <span class="s">1h</span> </span></span></code></pre></td></tr></table> </div> </div><p><em>Note: This requires you to define an <code>nginx-404.conf</code> filter under <code>/etc/fail2ban/filter.d/</code>.</em></p> <h4 id="mysqlmariadb-protection">MySQL/MariaDB Protection </h4><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-ini" data-lang="ini"><span class="line"><span class="cl"><span class="k">[mariadb-jail]</span> </span></span><span class="line"><span class="cl"><span class="na">enabled</span> <span class="o">=</span> <span class="s">true</span> </span></span><span class="line"><span class="cl"><span class="na">port</span> <span class="o">=</span> <span class="s">3306</span> </span></span><span class="line"><span class="cl"><span class="na">filter</span> <span class="o">=</span> <span class="s">mysqld-auth</span> </span></span><span class="line"><span class="cl"><span class="na">logpath</span> <span class="o">=</span> <span class="s">/var/log/mysql/error.log</span> </span></span><span class="line"><span class="cl"><span class="na">maxretry</span> <span class="o">=</span> <span class="s">3</span> </span></span></code></pre></td></tr></table> </div> </div><h2 id="common-fail2ban-management-commands">Common Fail2ban Management Commands </h2><p><code>fail2ban-client</code> is the primary tool for managing Fail2ban.</p> <h3 id="1-check-status">1. Check Status </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Check overall service running status</span> </span></span><span class="line"><span class="cl">sudo fail2ban-client ping </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Check the list of enabled jails</span> </span></span><span class="line"><span class="cl">sudo fail2ban-client status </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Check detailed status of a specific jail (e.g., sshd)</span> </span></span><span class="line"><span class="cl">sudo fail2ban-client status sshd </span></span></code></pre></td></tr></table> </div> </div><h3 id="2-manage-banned-ips">2. Manage Banned IPs </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Manually ban an IP (in the sshd jail)</span> </span></span><span class="line"><span class="cl">sudo fail2ban-client <span class="nb">set</span> sshd banip 1.2.3.4 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Manually unban an IP</span> </span></span><span class="line"><span class="cl">sudo fail2ban-client <span class="nb">set</span> sshd unbanip 1.2.3.4 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Unban an IP from all jails</span> </span></span><span class="line"><span class="cl">sudo fail2ban-client unban 1.2.3.4 </span></span></code></pre></td></tr></table> </div> </div><h3 id="3-reload-configuration">3. Reload Configuration </h3><p>When you modify <code>.local</code> files or filters, you can apply changes without restarting the entire service:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">sudo fail2ban-client reload </span></span></code></pre></td></tr></table> </div> </div><h2 id="faq--tips">FAQ &amp; Tips </h2><ul> <li><strong>Whitelist</strong>: Set <code>ignoreip = 127.0.0.1/8 ::1 &lt;Your Fixed IP&gt;</code> in the <code>[DEFAULT]</code> section to prevent locking yourself out.</li> <li><strong>Persistence</strong>: By default, bans expire after a service restart. For persistence, you can configure database storage.</li> <li><strong>Email Notifications</strong>: Fail2ban supports sending email alerts to administrators when an IP is banned.</li> </ul> <h2 id="summary">Summary </h2><p>Fail2ban is a simple yet effective tool that adds a significant layer of security to your server. With proper configuration, you can greatly reduce the risk of brute-force attacks.</p>