Password Brute‑Force Protection with Fail2ban¶

If you log in to the server with a password, attackers may try to guess it automatically — this is called a brute‑force attack. The best protection is to use key‑based authentication (no password). But if for some reason you still use a password, you should add extra safeguards. One of the simplest and most effective tools for this is Fail2ban.

Fail2ban is a program that monitors logs (records of server activity). If someone attempts to log in too many times in a row and fails, Fail2ban automatically blocks their IP address for a period of time.

Installing Fail2ban¶

Ubuntu / Debian:

sudo apt update
sudo apt install fail2ban -y

CentOS / Rocky Linux:

sudo yum update
sudo yum install epel-release
sudo yum install fail2ban

For proper operation, a firewall must be installed. You can install, for example, iptables:

Ubuntu / Debian:

sudo apt install iptables

CentOS / Rocky Linux:

sudo yum install iptables-services

After installation, enable Fail2ban autostart:

sudo systemctl enable fail2ban

On Ubuntu, Fail2ban will immediately protect SSH: by default it blocks an IP for 10 minutes if there have been 5 failed login attempts within 10 minutes.

How to Configure Fail2ban Correctly¶

The main settings are stored in /etc/fail2ban/jail.conf and are divided into sections.
The [DEFAULT] section sets common rules that apply to all services by default.
Individual services (e.g., SSH, Apache web server, or FTP) have their own parameters in their own sections — such as [sshd], [apache‑auth], [vsftpd], etc.

We do not recommend changing the base settings in this file. Instead, create your own configuration file — jail.local:

sudo nano /etc/fail2ban/jail.local

You can create it empty — Fail2ban will fill in any unspecified options with the defaults.

Example Configuration for SSH Protection¶

Here is a simple example of a jail.local file:

[DEFAULT]
ignoreip = 123.45.67.89

[sshd]
enabled = true
maxretry = 3
findtime = 120
bantime = 43200

What this means:

ignoreip — your “whitelisted” IP address. Fail2ban will never block it, even if you mistype your password. Specify your IP here (if it’s static). You can add multiple addresses separated by spaces.
enabled = true — enable protection for SSH.
maxretry = 3 — maximum of 3 failed login attempts.
findtime = 120 — within the last 120 seconds (2 minutes).
bantime = 43200 — block for 12 hours (43200 seconds).

In other words: if an IP (other than yours) fails to log in 3 times in 2 minutes, it will be blocked for 12 hours.

Note

Depending on the system in use, the section might be [sshd], [ssh], or [ssh‑iptables] — confirm this in jail.conf.

Additional Settings¶

If you changed the SSH port (e.g., from 22 to 2222), add to the [sshd] section:
```
port = 2222
```
If you use UFW or firewalld instead of iptables, specify:
For UFW: action = ufw
For firewalld: action = firewallcmd-ipset

But in most cases you can leave everything at the defaults — Fail2ban will choose the appropriate blocking method automatically.

Apply the Settings¶

After saving the file, restart Fail2ban:

sudo systemctl restart fail2ban

How to Verify Everything Works¶

Check SSH ban status:
```
sudo fail2ban-client status sshd
```
You’ll see a list of blocked IP addresses.
View Fail2ban logs:
```
sudo tail /var/log/fail2ban.log
```
Check iptables blocks (if used):
```
sudo iptables -L
```

Tip: Don’t test the protection by deliberately entering a wrong password from your own IP — you might accidentally block yourself! It’s better to wait a bit: bots typically start attacking servers within the first hour after launch.

Note

Fail2ban is an additional safeguard, but it’s best not to use passwords for SSH at all. Set up SSH‑key login — it’s more secure and convenient. Always add your IP to ignoreip so you don’t accidentally block yourself.