Fail2ban – block failed login attempts

Fail2ban is a log parsing application that monitors system logs for symptoms of an automated attack on your server. If you pay attention to application logs for these services, you will often see repeated, systematic login attempts that represent brute force attacks by users and bots alike. Use this to block failed login attempts.

Fail2ban will add a new rule to iptables, thus blocking the IP address of the attacker, either for a set amount of time or permanently. Fail2ban will also alert you through email that an attack is occurring.

fail2ban block failed login attempt

block failed login attempt

The fail2ban package is available under Debian/unstable and also as a download for other Linux systems.

Installing Fail2ban on CentOS 7

Ensure your system is up to date and install the EPEL repository:

# yum update && yum install epel-release
# yum install fail2ban

This will be installed fail2ban and will be running as a daemon. However, you might want to edit the configuration file and stop/start the daemon to get it running how you want. The configuration file can be found at /etc/fail2ban.conf.
Install Sendmail if you are looking email support to send alerts.

# yum install sendmail

Start and enable Fail2ban

# systemctl start fail2ban
# systemctl enable fail2ban

For Sendmail

# systemctl start sendmail
# systemctl enable sendmail


Installing Fail2ban on Debian / Ubuntu

Make sure all are up to date.

# apt-get update && apt-get upgrade -y
# apt-get install fail2ban

The service will automatically start.
fail2ban will monitor the auth.log file for failed access attempts. As soon as the daemon is running your ssh port (22) will be protected from brute-force attacks – preventing more than a small number of attempts at one time.

Actions taken by the daemon are logged by default in /var/log/fail2ban.log


Configure fail2ban

Most entries don’t need to be changed but there are a few that you might want to edit. The DEFAULT settings apply to all sections:


maxfailures = 3
bantime = 900
findtime = 600

Needs to be set to true if you want to receive emails.


enabled = true
to = [email protected]

If you want to monitor apache logs,


enabled = false

fail2ban will monitor the auth.log file for failed access attempts.


enabled = true
logfile = /var/log/auth.log


To customize the configuration file, check the fail2ban documentation.