Prerequisites
Before enabling Fail2ban, make sure you have:
- Admin access to HestiaCP
- SSH access to your VPS
What is Fail2ban?
Fail2ban scans log files for failed login attempts and temporarily bans offending IP addresses, preventing brute force attacks.
Method 1: Enable via HestiaCP Web Interface
Step 1: Log in to HestiaCP
https://YOUR_SERVER_IP:8083Step 2: Navigate to SERVER Section
Click on SERVER in the top menu bar.
Step 3: Go to Firewall Tab
Click on the Firewall tab.
Step 4: Enable Fail2ban
Toggle the Fail2ban switch to ON.
Step 5: Configure Settings
Set:
- Max Retries: Number of attempts before ban (default: 5)
- Ban Time: How long to ban in seconds (default: 3600 = 1 hour)
- Find Time: Time window for retries (default: 600 = 10 minutes)
Method 2: Enable via SSH
Install Fail2ban if not present:
apt install fail2ban -yStart and enable service:
systemctl start fail2ban
systemctl enable fail2banCheck status:
systemctl status fail2banConfigure Fail2ban for HestiaCP
Create local configuration:
nano /etc/fail2ban/jail.localAdd:
[hestia]
enabled = true
port = http,https,8083
filter = hestia
logpath = /var/log/hestia/nginx-error.log
maxretry = 5
bantime = 3600
[ssh]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 3600Restart Fail2ban:
systemctl restart fail2banVerify Fail2ban is Running
fail2ban-client statusCheck specific jail status:
fail2ban-client status sshd✅ Fail2ban has been enabled successfully!