Fail2ban is a tool that automatically detects attacking IP addresses and temporarily or permanently blocks them via iptables or firewalld. It runs as a background service and continuously monitors log files. If many failed login attempts or suspicious requests come from one IP, Fail2ban blocks that IP. This is a very effective protection method because it works automatically without human intervention.
What is Fail2ban and how it works
Fail2ban is a small Python program that analyzes log files using regular expressions. For each protected service a separate filter is written that defines what text is considered a brute force attempt. For example in the SSH log the string "Failed password for" appears on failed login attempts. Fail2ban counts such events and blocks the IP when the threshold is exceeded. The ban duration is configurable from a few minutes to permanent.
Installation on Ubuntu and Debian
Fail2ban is in the standard repositories of all popular Linux distributions. On Ubuntu and Debian it installs with a single apt command. After installation the service starts automatically and SSH protection is enabled by default. On CentOS, AlmaLinux or Rocky Linux yum or dnf is used, but you may first need to add the EPEL repository. After installation check the status via systemctl and make sure the service is running.
Jail and filter configuration
In Fail2ban each protected service is called a "jail". All settings are stored in jail.local and it is not recommended to modify the original jail.conf because it gets overwritten during updates. Each jail specifies the log path, which filter to use, how many attempts before banning and the ban duration. Default settings for SSH are good but for services on non-standard ports the jail must be written manually.
Web server and FTP protection
For Nginx and Apache there are ready-made filters that track 404 errors, login attempts and other suspicious activity. For a WordPress site a special filter is written to block brute force on wp-login.php. For ProFTPD, vsftpd and other FTP servers there are ready jails that just need to be enabled. For mail servers — Postfix, Dovecot — there are also filters that protect from spam bots.
Sayt.uz practice
On Sayt.uz servers Fail2ban is installed and configured on all client servers by default. After 5 failed attempts on the SSH port the IP is blocked for 24 hours. Jails are also enabled for web and mail services. Clients can see in their cabinet which IPs are blocked and add a trusted IP to the whitelist if needed. By our data, after enabling Fail2ban brute force attempts decrease by 95%.