Introduction
Fail2ban scans logs and bans IPs that repeatedly fail authentication. It is essential for any publicly accessible VPS.
1. Installation
On Ubuntu: sudo apt install fail2ban -y. On RHEL: enable EPEL first.
2. Basic Configuration
Copy /etc/fail2ban/jail.conf to jail.local. Enable the SSH jail.
3. Custom SSH Jail
Set port = 50222, maxretry = 3, bantime = 3600.
4. Protect Web Applications
Create a custom filter for WordPress login attempts using failregex.
5. Protect MySQL
Enable [mysqld-auth] jail; ensure error logging is active.
6. Protect FTP (vsftpd)
Enable [vsftpd] jail and check log path.
7. Protect Mail Servers
Jails [postfix] and [dovecot] cover SMTP and IMAP authentication.
8. Custom Jails
Create /etc/fail2ban/filter.d/myapp.conf for your own application logs.
9. Actions: Email and Webhooks
Set action = %(action_mwl)s to receive email notifications on bans.
10. Persistent Bans
Enable SQLite database with dbfile in fail2ban.conf.
11. Recidive Jail
Add [recidive] to permanently ban repeat offenders.
12. Monitoring Fail2ban
sudo fail2ban-client status sshd. View banned IPs with iptables -L f2b-sshd -n.
13. Tuning for High Traffic
Increase maxretry, use banaction = iptables-ipset for many bans.
14. Whitelisting Trusted IPs
Use ignoreip = 192.168.1.0/24 to avoid banning yourself.
15. Testing with fail2ban-regex
fail2ban-regex /var/log/auth.log 'Failed password for .* from .
16. Cloudflare Integration
Use a custom action to ban via Cloudflare API (preserve real visitor IP).
17. Logwatch for Summaries
Install logwatch to receive daily reports of banned IPs.
18. Avoid False Positives
Fine‑tune findtime and maxretry for your traffic patterns.
19. Fail2ban and Hostxpeed DDoS
Fail2ban handles application‑layer attacks; Hostxpeed protects volumetric DDoS.
20. Regular Updates
Keep fail2ban and its filters updated via package manager.
Conclusion
Fail2ban dramatically reduces brute‑force risks. Start with SSH, then add web and mail jails.