fail2ban-setup

Configure fail2ban to automatically protect servers against brute-force attacks by banning malicious IP addresses.

Safety Notice

This listing is imported from skills.sh public index metadata. Review upstream SKILL.md and repository scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "fail2ban-setup" with this command: npx skills add mikr13/secure-server-setup-skills/mikr13-secure-server-setup-skills-fail2ban-setup

Fail2ban Setup Skill

Configure fail2ban to automatically protect servers against brute-force attacks by banning malicious IP addresses.

What This Skill Does

This skill helps AI agents install and configure fail2ban on VPS servers. Even with SSH keys configured, bots will constantly hammer your server with login attempts. Fail2ban monitors log files and automatically bans IP addresses that show malicious behavior, such as too many password failures.

Key capabilities:

  • Install fail2ban package

  • Configure SSH brute-force protection

  • Set ban times and retry thresholds

  • Create custom jails for different services

  • Monitor and manage banned IPs

  • Integrate with UFW/iptables firewall

When to Use

Use this skill when you need to:

  • Protect SSH from brute-force attacks

  • Reduce server load from automated login attempts

  • Automatically block malicious IPs

  • Complement SSH hardening and firewall configuration

  • Monitor authentication logs for suspicious activity

  • Protect web applications from abuse

Critical understanding: Three failed attempts in 10 minutes = banned for an hour. This drastically reduces brute-force attack effectiveness.

Prerequisites

  • Root or sudo access to the server

  • Ubuntu, Debian, or RHEL-based Linux distribution

  • SSH access to the server

  • Firewall configured (UFW or iptables)

  • Services to protect (SSH, web server, etc.) running and logging

Fail2ban Installation

Ubuntu/Debian

sudo apt update sudo apt install fail2ban -y

CentOS/RHEL

sudo yum install epel-release -y sudo yum install fail2ban -y

Verify Installation

sudo systemctl status fail2ban

Basic Configuration

Step 1: Create Local Configuration

CRITICAL: Never edit jail.conf directly. It gets overwritten on updates!

Create a local configuration file:

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Edit the local configuration:

sudo nano /etc/fail2ban/jail.local

Step 2: Configure Global Settings

Find and update these settings in jail.local :

[DEFAULT]

Ban time in seconds (1 hour)

bantime = 3600

Find time window (10 minutes)

findtime = 600

Number of failures before ban

maxretry = 3

Destination email for notifications (optional)

destemail = admin@example.com

Sender email

sendername = Fail2Ban

Email action

action = %(action_)s

Or with email: %(action_mwl)s

Step 3: Configure SSH Protection

Find the [sshd] section and configure:

[sshd] enabled = true port = ssh filter = sshd logpath = /var/log/auth.log maxretry = 3 bantime = 3600 findtime = 600

For custom SSH port:

[sshd] enabled = true port = 2222 filter = sshd logpath = /var/log/auth.log maxretry = 3

Step 4: Enable and Start Fail2ban

sudo systemctl enable fail2ban sudo systemctl start fail2ban

Verify it's running:

sudo systemctl status fail2ban

Advanced Configuration

Multiple Service Protection

Add jails for other services in /etc/fail2ban/jail.local :

Nginx/Apache (HTTP Auth):

[nginx-http-auth] enabled = true port = http,https filter = nginx-http-auth logpath = /var/log/nginx/error.log maxretry = 3

[apache-auth] enabled = true port = http,https filter = apache-auth logpath = /var/log/apache*/*error.log maxretry = 3

WordPress:

[wordpress-auth] enabled = true port = http,https filter = wordpress-auth logpath = /var/log/auth.log maxretry = 3

FTP:

[proftpd] enabled = true port = ftp,ftp-data,ftps,ftps-data filter = proftpd logpath = /var/log/proftpd/proftpd.log maxretry = 3

Custom Ban Times

Different ban times for different severity:

[sshd] enabled = true port = ssh filter = sshd logpath = /var/log/auth.log maxretry = 3 bantime = 3600 # 1 hour findtime = 600 # 10 minutes

[sshd-aggressive] enabled = true port = ssh filter = sshd-aggressive logpath = /var/log/auth.log maxretry = 1 bantime = 86400 # 24 hours findtime = 3600 # 1 hour

Permanent Bans

For repeated offenders:

[recidive] enabled = true filter = recidive logpath = /var/log/fail2ban.log bantime = 604800 # 1 week findtime = 86400 # 1 day maxretry = 3

Whitelist IPs

Never ban trusted IPs:

[DEFAULT] ignoreip = 127.0.0.1/8 ::1 203.0.113.10 192.168.1.0/24

Email Notifications

Enable email alerts:

[DEFAULT] destemail = admin@example.com sendername = Fail2Ban mta = sendmail

Action with email

action = %(action_mwl)s

Fail2ban Management

Check Status

Overall status

sudo fail2ban-client status

Specific jail status

sudo fail2ban-client status sshd

View Banned IPs

List banned IPs for SSH

sudo fail2ban-client status sshd

List all banned IPs

sudo fail2ban-client banned

Unban IP Address

Unban specific IP from specific jail

sudo fail2ban-client set sshd unbanip 203.0.113.100

Unban from all jails

sudo fail2ban-client unban 203.0.113.100

Manually Ban IP

sudo fail2ban-client set sshd banip 203.0.113.100

Test Filter

Test if a filter matches log lines:

fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/sshd.conf

Monitoring and Logs

Fail2ban Logs

View fail2ban log

sudo tail -f /var/log/fail2ban.log

View recent bans

sudo grep "Ban" /var/log/fail2ban.log

View unbans

sudo grep "Unban" /var/log/fail2ban.log

Check Firewall Rules

Fail2ban adds rules to iptables/UFW:

View iptables rules

sudo iptables -L -n

View fail2ban chains

sudo iptables -L fail2ban-sshd -n

View UFW status

sudo ufw status numbered

Statistics

Count bans by jail

sudo fail2ban-client status | grep "Jail list"

Count current bans

sudo fail2ban-client status sshd | grep "Currently banned"

Total bans

sudo fail2ban-client status sshd | grep "Total banned"

Configuration Files

Main Configuration Files

/etc/fail2ban/fail2ban.conf # Main fail2ban configuration /etc/fail2ban/fail2ban.local # Local fail2ban config (create if needed) /etc/fail2ban/jail.conf # Default jail configurations (don't edit!) /etc/fail2ban/jail.local # Local jail overrides (edit this!) /etc/fail2ban/jail.d/ # Additional jail configs

Filters and Actions

/etc/fail2ban/filter.d/ # Log file filters /etc/fail2ban/action.d/ # Ban actions (iptables, ufw, etc.) /var/log/fail2ban.log # Fail2ban log file

Creating Custom Filters

Create a custom filter for your application:

  • Create filter file /etc/fail2ban/filter.d/myapp.conf :

[Definition] failregex = ^.Failed login attempt from <HOST>.$ ^.Invalid user . from <HOST>.*$ ignoreregex =

  • Create jail in /etc/fail2ban/jail.local :

[myapp] enabled = true port = 8080 filter = myapp logpath = /var/log/myapp/access.log maxretry = 5 bantime = 3600

  • Test the filter:

fail2ban-regex /var/log/myapp/access.log /etc/fail2ban/filter.d/myapp.conf

  • Reload fail2ban:

sudo systemctl reload fail2ban

Restart and Reload

Restart Service

Restart fail2ban

sudo systemctl restart fail2ban

Check status

sudo systemctl status fail2ban

Reload Configuration

Reload without restarting (keeps existing bans)

sudo fail2ban-client reload

Reload specific jail

sudo fail2ban-client reload sshd

Security Best Practices

  • Start with conservative settings - Don't ban too aggressively

  • Whitelist trusted IPs - Add your office/home IP to ignoreip

  • Monitor logs - Regularly check /var/log/fail2ban.log

  • Test filters - Use fail2ban-regex to test before deploying

  • Combine with SSH hardening - Fail2ban is not a replacement for proper SSH config

  • Set reasonable ban times - Too short is ineffective, too long may ban legitimate users

  • Enable recidive jail - Catch repeated offenders

  • Keep fail2ban updated - Update regularly for new attack patterns

Troubleshooting

Fail2ban Not Starting

Check for syntax errors

sudo fail2ban-client -t

View error logs

sudo journalctl -u fail2ban -n 50

Check configuration

sudo fail2ban-client -d

Jails Not Working

Check jail status

sudo fail2ban-client status

View jail configuration

sudo fail2ban-client get sshd maxretry sudo fail2ban-client get sshd bantime

Test filter against log

fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/sshd.conf

Log File Not Found

Check log paths in jail configuration:

Ubuntu/Debian SSH logs

/var/log/auth.log

CentOS/RHEL SSH logs

/var/log/secure

Nginx logs

/var/log/nginx/error.log /var/log/nginx/access.log

Accidentally Banned

Unban your IP

sudo fail2ban-client set sshd unbanip YOUR.IP.ADDRESS

Or stop fail2ban temporarily

sudo systemctl stop fail2ban

Common Mistakes to Avoid

  • ❌ Editing jail.conf instead of creating jail.local

  • ❌ Not whitelisting your own IP address

  • ❌ Setting maxretry too low (banning legitimate users)

  • ❌ Not testing filters before deployment

  • ❌ Forgetting to restart after configuration changes

  • ❌ Using fail2ban as sole security measure (combine with other hardening!)

  • ❌ Not monitoring fail2ban logs

Additional Resources

See references/fail2ban-filters.md for common filter patterns.

See scripts/setup-fail2ban.sh for automated setup script.

Related Skills

  • ssh-hardening

  • Harden SSH before adding fail2ban

  • firewall-configuration

  • Fail2ban works with UFW/iptables

  • auto-updates

  • Keep fail2ban updated

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open in GitHubOpen in ClawHub

Related Skills

Related by shared tags or category signals.

General

ssh-hardening

No summary provided by upstream source.

Repository SourceNeeds Review
78-mikr13
General

firewall-configuration

No summary provided by upstream source.

Repository SourceNeeds Review
21-mikr13
General

auto-updates

No summary provided by upstream source.

Repository SourceNeeds Review
10-mikr13
General

Pdf To Markdown

PDF转Markdown工具。PDF文本转Markdown、表格识别转换、关键信息提取、格式美化修复、内容摘要、文档对比。PDF to Markdown converter with table recognition, info extraction, formatting, summarization, do...

Registry SourceRecently Updated
1910ckchzh