Customer Support

  1. Support
  2. How to install and configure Fail2ban for Brute-Force protection
  1. Home
  2. Dedicated / VPS Management
  3. How to install and configure Fail2ban for Brute-Force protection

How to install and configure Fail2ban for Brute-Force protection

Fail2ban protects your Linux VPS by banning IP addresses that attempt unauthorized access. It scans your VPS log files (for example, /var/log/apache/error_log) to detect suspicious activity such as multiple failed login attempts or exploit scans.

You can also configure Fail2ban to automatically send reports to you and to the administrator of the attacking IP. It includes ready-made filters for various services such as Apache, Courier, SSH, Exim, Postfix, and others.

Installing Fail2ban

AlmaLinux / Rocky Linux / CentOS Stream

  • Step 1: Update your VPS: sudo dnf -y update
  • Step 2: Fail2ban is not included in the official repository but is available in the EPEL (Extra Packages for Enterprise Linux). Install it: sudo dnf -y install epel-release
  • Step 3: Install Fail2ban: sudo dnf -y install fail2ban If you receive an error, run: sudo dnf -y update first.
  • Step 4: Enable Fail2ban to start at boot and start the service: sudo systemctl enable fail2ban sudo systemctl start fail2ban

Ubuntu / Debian

  • Step 1: Update your VPS: sudo apt -y update && sudo apt -y upgrade
  • Step 2: Fail2ban is included in the default Ubuntu repositories: sudo apt -y install fail2ban
  • Step 3: Enable and start it: sudo systemctl enable fail2ban sudo systemctl start fail2ban

Configuring Fail2ban

By default, Fail2ban uses the file /etc/fail2ban/jail.conf. However, updates may overwrite it, so it’s best to create a /etc/fail2ban/jail.local file instead. This file is never overwritten and its settings override jail.conf.

Include only the services that are actually running on your VPS (e.g., Exim or Postfix, not both).

Step 1: Create the configuration file

sudo nano /etc/fail2ban/jail.local

Step 2: Add the following configuration

Copy and edit this example configuration to suit your setup:

[DEFAULT]
# Ban for X amount of time
bantime = 604800
findtime = 3600
sender = fail2ban@example.com
destemail = admin@example.com
action = %(action_mwl)s
banaction = iptables-multiport
maxretry = 3
ignoreip = your.ip.address

[sshd]
enabled = true
port = ssh   # replace ssh with your configured SSH port

[exim]
enabled = true
filter = exim
logpath = /var/log/exim/mainlog
# cPanel: use /var/log/exim_mainlog
# Debian: /var/log/exim4/mainlog

[postfix]
enabled = true
port = smtp,ssmtp
filter = postfix
failregex = \[<HOST>]: 535 Incorrect authentication data
logpath = /var/log/maillog

[dovecot]
enabled = true
port = pop3,pop3s,imap,imaps
filter = dovecot
logpath = /var/log/maillog

Edit sender, destemail, and ignoreip according to your needs, and enable only the services you actually use.

If you use Exim, extend the Exim filter:

sudo nano /etc/fail2ban/filter.d/exim.conf

In the [Definition] section, add:

\[<HOST>\]: 535 Incorrect authentication data

Save and exit (Ctrl + X → Y → Enter).

Finally, restart Fail2ban to apply your changes:

sudo systemctl restart fail2ban

Advanced Configuration: Escalating Ban Times

To avoid permanently banning a legitimate user after a simple mistake, you can configure escalating bans: for example, one hour, then a day, then a week.

  • Create a new filter:
sudo nano /etc/fail2ban/filter.d/f2b-repeat.conf
  • Add the following:
[INCLUDES]
before = common.conf
[Definition]
failregex = (?i)\]\s+ban\s+<HOST>
ignoreregex = (?i)\[f2b-repeat.*\]\s+ban\s+<HOST>
  • In jail.local, insert between [DEFAULT] and [sshd]:
[DEFAULT]
# Ban for X amount of time
bantime = 3600
findtime = 86400
sender = fail2ban@example.com
destemail = admin@example.com
action = %(action_mwl)s
banaction = iptables-multiport
maxretry = 3
ignoreip = your.ip.address

[f2b-repeat2]
enabled = true
filter = f2b-repeat
bantime = 86400
findtime = 604800
logpath = /var/log/fail2ban.log
maxretry = 3

[f2b-repeat3]
enabled = true
filter = f2b-repeat
bantime = 604800
findtime = 2592000
logpath = /var/log/fail2ban.log
maxretry = 3

[f2b-repeat4]
enabled = true
filter = f2b-repeat
bantime = 2592000
findtime = 15552000
logpath = /var/log/fail2ban.log
maxretry = 3
  • Create the log file:
sudo touch /var/log/fail2ban.log
  • Restart the service:
sudo systemctl restart fail2ban

Additional Filters and Jails

  • List all available filters: ls /etc/fail2ban/filter.d/
  • Edit your jail configuration: sudo nano /etc/fail2ban/jail.local
  • Add a new jail: [apache-auth] enabled = true filter = apache-auth logpath = /var/log/apache2/error.log

The filter value corresponds to the file name in /etc/fail2ban/filter.d/ (without .conf), and logpath specifies the log file Fail2ban will monitor.

Useful Commands

  • Check Fail2ban status:
    sudo fail2ban-client status
  • View logs:
    sudo cat /var/log/fail2ban.log
  • Verify service status:
    sudo systemctl status fail2ban
  • Restart after configuration changes:
    sudo systemctl restart fail2ban

Manually Banning or Unbanning IPs

  • Ban IP:
    sudo fail2ban-client set JAIL banip xxx.xxx.xxx.xxx
  • Unban IP:
    sudo fail2ban-client set JAIL unbanip xxx.xxx.xxx.xxx
  • List available jails:
    sudo fail2ban-client status

The installation and configuration of Fail2ban on your VPS is now complete! Your system is now protected against brute-force and unauthorized login attempts.

Related Articles

You haven't found what you are looking for?

Contact our experts, they will be happy to help!

Contact us