When you configure a new server Fail2ban is a must-have tool to secure your VPS.
Fail2Ban scans log files and bans IPs that show the malicious signs (e.g. too many password failures, seeking for exploits, etc..). This tool update your firewall rules to reject the IP addresses for a specified amount of time, although any arbitrary other action (e.g. sending an email) could also be configured.
Update the system, install EPEL repository and Fail2Ban:
yum update && yum install epel-release yum install fail2ban
Update the system and install Fail2Ban:
apt-get update && apt-get upgrade -y sudo apt-get install fail2ban
.confconfiguration files first, then
.local files override any settings. So the best way is edit the local configuration to override the defailt settings.
- Create a new local config file starting from the default one:
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
If using CentOS change the backend option in
jail.localfrom auto to systemd. This is not necessary on Debian:
# Available options are "pyinotify", "gamin", "polling", "systemd" and "auto". backend = systemd
The most important info that you can configure are inside the section
[sshd] enabled = true # "bantime" is the number of seconds that a host is banned. bantime = 3600 # ssh port port = 22 # "maxretry" is the number of failures before a host get banned. maxretry = 6
systemctl enable fail2ban systemctl start fail2ban
service fail2ban restart
To check the status of the Fail2Ban jails:
The result should be like this:
Status |- Number of jail: 1 `- Jail list: sshd
If you want to see banned IPs in sshd jail:
fail2ban-client status sshd
In order to add/remove an IP address from the banned list use the following commands replacing IPADDRESS with the IP which needs unbanning, and the name “sshd” with name of the jail (in this case the “sshd” jail that we configured above):
fail2ban-client set sshd banip IPADDRESS fail2ban-client set sshd unbanip IPADDRESS