Learn how to protect your Linux server from brute force attacks using Fail2Ban. This guide covers installation and configuration steps for both Debian-derived and RHEL-derived systems.
Publish date: 11/22/2024
Brute force attacks—where attackers systematically try numerous user/password combinations to gain access—are among the most common reasons Linux servers get compromised. And it's actually rather easy to prevent.
From a fundamental level, you'll need to be able to recognize repeated failed login attempts and automatically take certain actions, such as banning the IP address. Otherwise, the attacker can just keep guessing until they get it right. And depending on how good of a password you have, this could take a very little or a very long time.
Anyway, preventing brute force attacks sounds complicated, but with open-source projects like Fail2Ban, it turns into a 15-minute or less job.
That said in this article, we'll dive into what Fail2Ban is, how it integrates with your firewall (such as nftables), and how to set it up on Debian-derived and RHEL-derived systems. We'll also explain how Fail2Ban can protect other services like Nginx, Apache, and WordPress from brute force attacks by monitoring their log files.
First things first:
Fail2Ban is an open-source intrusion prevention software that acts as a protective layer for your Linux server.
It's essentially a security framework that helps protect against automated attacks, particularly brute force attempts, by dynamically monitoring system logs and responding to suspicious activities in real time.
Fail2Ban constantly watches your server's log files, like /var/log/auth.log for SSH attempts and /var/log/apache2/access.log for web server activity. Using regular expressions (regex), it identifies patterns of suspicious behavior such as repeated failed login attempts or unusual access patterns.
When suspicious activity is detected, Fail2Ban takes action through what it calls "jails." Each protected service (like SSH or Apache) has its own jail with specific rules. When triggered, Fail2Ban can automatically create firewall rules to block the offending IP address, send email notifications, and execute other custom actions.
While Fail2Ban isn't a firewall itself, it works with your existing firewall.
Modern Linux distributions use different firewall systems, and Fail2Ban adapts to work with each:
The installation process varies slightly between Debian-derived and RHEL-derived systems.
sudo apt update
sudo apt install fail2ban
sudo dnf update
For RHEL 8 and beyond based distributions, Fail2Ban is available in the default repositories:
sudo dnf install fail2ban
For RHEL 7 and older versions, you may need to enable the EPEL repository:
sudo yum install epel-release
sudo yum install fail2ban
(Though, it may be time to consider upgrading.)
After installing Fail2Ban, you'll need to configure it to suit your server's security needs.
First, make sure you have the required logging system (which may not be included in your distribution template):
# Debian/Ubuntu systems
sudo apt install rsyslog
sudo systemctl enable rsyslog
sudo systemctl start rsyslog
# For RHEL 8/Rocky/Alma
sudo dnf install rsyslog
sudo systemctl enable rsyslog
sudo systemctl start rsyslog
Then it's best practice not to modify the default jail.conf file.
So instead, create a jail.local file:
# For Debian/Ubuntu systems
sudo nano /etc/fail2ban/jail.local
# For RHEL-derived systems
sudo vi /etc/fail2ban/jail.local
Next, we'll need to edit the configuration file using your system's default editor.
For RHEL users not familiar with vi:
i to enter insert modeESC to exit insert mode:wq and press Enter to save and quit:q! to quit without savingAdd these basic settings to your jail.local (editing accordingly):
[DEFAULT]
# IPs to never ban (add your admin IPs here)
ignoreip = 127.0.0.1/8 ::1
# Ban duration (use time units: s=seconds, m=minutes, h=hours, d=days)
bantime = 1d
# Time window for counting failures
findtime = 10m
# Failures before ban
maxretry = 5
# Logs level (can be INFO, WARN, ERROR, CRITICAL)
loglevel = INFO
# Firewall configuration
# For Debian 10+, Ubuntu 20.04+:
banaction = nftables-multiport
# For RHEL 8/9, Rocky Linux, AlmaLinux (uncomment if needed):
# banaction = firewallcmd-multiport
# Email notifications
destemail = [email protected]
sender = [email protected]
sendername = Fail2Ban
mta = sendmail
# Simple notification
action = %(action_mw)s
# Or detailed notification with whois data:
# action = %(action_mwl)s
Note: For Fail2Ban to send you notifications, you need to able to send emails, which some hosts may disable. So double-check.
Next up you'll need to configure Fail2Ban according to what services you want to protect.
Here are a few examples:
[sshd]
enabled = true
port = ssh
filter = sshd
# For Debian/Ubuntu:
logpath = /var/log/auth.log
# For RHEL/CentOS/Rocky/AlmaLinux (uncomment if needed):
# logpath = /var/log/secure
maxretry = 3
Note: When Fail2Ban is installed, it comes with some defaults in jail.conf, so you'll need to make sure there isn't already an existing configuration before adding it in jail.local, for the most part, you don't need to change much for SSH. jail.local is for additional custom configurations.
For Nginx:
[nginx-http-auth]
enabled = true
port = http,https
logpath = /var/log/nginx/error.log
maxretry = 3
bantime = 1d
findtime = 10m
[nginx-botsearch]
enabled = true
port = http,https
logpath = /var/log/nginx/access.log
maxretry = 2
bantime = 1d
findtime = 10m
For Apache:
[apache-auth]
enabled = true
port = http,https
# Log path varies by distribution
# For RHEL/CentOS/Rocky/Alma:
logpath = /var/log/httpd/error_log
# For Debian/Ubuntu:
# logpath = /var/log/apache2/error.log
maxretry = 3
bantime = 1d
findtime = 10m
[apache-badbots]
enabled = true
port = http,https
# For RHEL/CentOS/Rocky/Alma:
logpath = /var/log/httpd/access_log
# For Debian/Ubuntu:
# logpath = /var/log/apache2/access.log
maxretry = 2
bantime = 1d
findtime = 10m
Create the WordPress jail configuration:
[wordpress]
enabled = true
filter = wordpress
port = http,https
# If using Nginx
logpath = /var/log/nginx/access.log
# If using Apache (RHEL)
# logpath = /var/log/httpd/access_log
# If using Apache (Debian)
# logpath = /var/log/apache2/access.log
maxretry = 3
findtime = 5m
bantime = 1d
Create the WordPress filter:
# For RHEL-based systems
sudo vi /etc/fail2ban/filter.d/wordpress.conf
# For Debian-based systems
sudo nano /etc/fail2ban/filter.d/wordpress.conf
Add these patterns to detect WordPress login failures:
[Definition]
failregex = ^<HOST> .* "POST /wp-login.php
^<HOST> .* "POST /wordpress/wp-login.php
^<HOST> .* "POST /blog/wp-login.php
^<HOST> .* "POST .*/xmlrpc\.php
ignoreregex =
Apply your new settings by restarting the Fail2Ban service:
sudo systemctl restart fail2ban
To verify that Fail2Ban is active, check the overall status:
sudo fail2ban-client status
You can also check the status of a specific jail:
sudo fail2ban-client status sshd
This will display the number of currently banned IPs and other relevant information.
By intelligently monitoring log files and interacting with your firewall, Fail2Ban provides automated, real-time defense without significant resource consumption and practically eliminates the risk of being compromised by a brute-force attack.
If you ask us, it's certainly worth giving a shot.
For more insights on securing your Linux server, we recommend giving 7 Quick and Easy Ways to Secure SSH on a Linux Server and The 7 Best Linux Firewalls as of 2025 a read.
If you're looking to host on reliable infrastructure, xTom provides a range of solutions including dedicated servers, colocation services, and IP transit.
For affordable, flexible, and scalable virtual private servers, check out V.PS for NVMe-powered VPS hosting.