Secure Your Linux Server with Fail2Ban (Step-by-Step Guide)

Brute force attacks on SSH, mail and web services are a constant threat to any internet-facing server. Fail2Ban is a powerful, lightweight tool that helps mitigate these attacks by automatically banning IPs that exhibit malicious behavior.

In this guide, we’ll walk through the complete installation and configuration of Fail2Ban on a Linux server to secure SSH and Postfix (mail server). We’ll also set up email alerts and configure persistent bans.

🧰 Prerequisites

• A Linux server (Debian/Ubuntu or CentOS/RHEL)
• Root or sudo access
• SSH access to the server
• (Optional) A mail server (Postfix) if you want to monitor email service

🛠️ 1. Update System Packages

Before installing anything, make sure your package manager is up-to-date.

sudo apt update && sudo apt upgrade -y # For Debian/Ubuntu # or sudo yum update -y # For CentOS/RHEL 

📦 2. Install Fail2Ban and Dependencies

Install Fail2Ban using your system’s package manager:

sudo apt install -y fail2ban # Debian/Ubuntu # or sudo yum install -y fail2ban # CentOS/RHEL 

📁 3. Create Custom Jail Configuration

Fail2Ban uses jails to define which services to monitor. Let’s back up the default config and create a custom one.

Backup the Default Config

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local 

Modify Basic Settings

Set a 24-hour ban time, 10-minute find time, and allow a maximum of 5 retries:

sudo sed -i 's/bantime = 10m/bantime = 24h/;s/findtime = 10m/findtime = 600/;s/maxretry = 5/maxretry = 5/' /etc/fail2ban/jail.local 

📄 4. Configure Jails for SSH and Postfix

Now, let’s create a separate jail configuration file:

sudo tee /etc/fail2ban/jail.d/custom.conf << 'EOF' [sshd] enabled = true port = 22 filter = sshd logpath = /var/log/auth.log maxretry = 5 [postfix] enabled = true port = 25 filter = postfix logpath = /var/log/mail.log maxretry = 5 EOF 

📧 5. Configure Email Notifications

Ensure mailutils is installed and the mail command is available:

which mail # Should return: /usr/bin/mail 

Then, add your email settings in jail.local:

sudo tee -a /etc/fail2ban/jail.local << 'EOF' [DEFAULT] banaction = iptables-multiport banaction_allports = iptables-allports loglevel = DEBUG ignoreself = false action = %(action_mwl)s sender = fail2ban@yourdomain.com destemail = admin@yourdomain.com mta = sendmail  EOF 

Replace yourdomain.com and the email addresses with your actual values.

📊 6. Enable and Start Fail2Ban

Enable the service to start on boot and start it now:

sudo systemctl enable fail2ban sudo systemctl start fail2ban sudo systemctl status fail2ban 

Restart Fail2Ban to Apply All Changes

sudo systemctl restart fail2ban 

🧪 7. Testing & Monitoring

Simulate a Ban

Try multiple failed SSH login attempts from another IP.

Check Logs

sudo tail -f /var/log/fail2ban.log 

View Real-Time Jail Status

sudo fail2ban-client status sshd 

Unban an IP

sudo fail2ban-client set sshd unbanip <IP_ADDRESS> 

🔧 Optional: Adjust UFW if Installed

If you use ufw, remove conflicting rules and allow SSH manually:

sudo ufw delete limit 22/tcp sudo ufw delete limit 22/tcp "v6" sudo ufw allow 22/tcp 

✅ Summary

Here’s what we’ve accomplished:

• ✅ Updated system packages
• ✅ Installed and configured Fail2Ban
• ✅ Created custom jails for SSH and Postfix
• ✅ Set ban time (24h), find time (10m), max retry (5)
• ✅ Configured email alerts
• ✅ Enabled persistent bans and logging
• ✅ Tested the setup

Your server is now better protected against brute force attacks. 🎉

📌 Next Steps

• Add additional jails (e.g., Nginx, Apache) if you run web servers
• Whitelist internal or VPN IPs (/etc/fail2ban/jail.d/whitelist.conf)
• Monitor logs regularly for suspicious activity
• Fine-tune thresholds if you experience false positives

Stay safe and secure! 🔐