# Fail2ban — Block Brute-Force Attacks Automatically

> Practical guide to Fail2ban — monitor log files, ban IPs via the firewall and stop brute-force attacks on SSH and more with fail2ban-client.

Source: https://www.jpkc.com/db/en/cheatsheets/security/fail2ban/

<!-- PROSE:intro -->
Fail2ban is your automatic bouncer against brute-force attacks: the tool continuously scans log files – such as SSH authentication logs – for failed login attempts. When a single IP racks up too many hits within a time window, Fail2ban bans it automatically through the firewall (iptables or nftables). Its configuration is organised into jails – one rule set per service (for example `sshd`), each combining a filter, an action and thresholds. Everything is driven through `fail2ban-client`. This guide walks you through the commands you reach for daily – from status checks through manual bans to testing your own filter regexes.
<!-- PROSE:intro:end -->

## Service Management

`fail2ban-client status` — Show overall status and list of active jails.

```bash
sudo fail2ban-client status
```

`fail2ban-client status <jail>` — Show status of a specific jail (banned IPs, failures).

```bash
sudo fail2ban-client status sshd
```

`fail2ban-client start` — Start the fail2ban server.

```bash
sudo fail2ban-client start
```

`fail2ban-client stop` — Stop the fail2ban server.

```bash
sudo fail2ban-client stop
```

`fail2ban-client reload` — Reload configuration without restarting.

```bash
sudo fail2ban-client reload
```

`fail2ban-client reload <jail>` — Reload a specific jail configuration.

```bash
sudo fail2ban-client reload sshd
```

## Ban & Unban

`fail2ban-client set <jail> banip <ip>` — Manually ban an IP in a jail.

```bash
sudo fail2ban-client set sshd banip 192.168.1.100
```

`fail2ban-client set <jail> unbanip <ip>` — Unban an IP from a jail.

```bash
sudo fail2ban-client set sshd unbanip 192.168.1.100
```

`fail2ban-client unban <ip>` — Unban an IP from all jails.

```bash
sudo fail2ban-client unban 192.168.1.100
```

`fail2ban-client unban --all` — Unban all IPs from all jails.

```bash
sudo fail2ban-client unban --all
```

`fail2ban-client banned` — Show all currently banned IPs across all jails.

```bash
sudo fail2ban-client banned
```

## Jail Configuration

`fail2ban-client get <jail> maxretry` — Show the max retry count for a jail.

```bash
sudo fail2ban-client get sshd maxretry
```

`fail2ban-client set <jail> maxretry <n>` — Set max retries before ban (runtime).

```bash
sudo fail2ban-client set sshd maxretry 3
```

`fail2ban-client get <jail> bantime` — Show the ban duration for a jail.

```bash
sudo fail2ban-client get sshd bantime
```

`fail2ban-client set <jail> bantime <seconds>` — Set ban duration (runtime).

```bash
sudo fail2ban-client set sshd bantime 3600
```

`fail2ban-client get <jail> findtime` — Show the time window for counting failures.

```bash
sudo fail2ban-client get sshd findtime
```

`fail2ban-client set <jail> addignoreip <ip>` — Whitelist an IP (never ban) – ideal for your own IP so you do not lock yourself out.

```bash
sudo fail2ban-client set sshd addignoreip 10.0.0.1
```

## Filter Testing

`fail2ban-regex <logfile> <filter>` — Test a filter regex against a log file.

```bash
sudo fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/sshd.conf
```

`fail2ban-regex '<log-line>' '<regex>'` — Test a regex against a single log line.

```bash
fail2ban-regex 'Failed password for root from 1.2.3.4' 'Failed .* from <HOST>'
```

`fail2ban-regex --print-all-matched <logfile> <filter>` — Show all matching lines from a log file.

```bash
sudo fail2ban-regex --print-all-matched /var/log/nginx/error.log /etc/fail2ban/filter.d/nginx-http-auth.conf
```

## Logs & Debugging

`fail2ban-client get loglevel` — Show the current log level.

```bash
sudo fail2ban-client get loglevel
```

`fail2ban-client set loglevel <level>` — Set log level (CRITICAL, ERROR, WARNING, NOTICE, INFO, DEBUG).

```bash
sudo fail2ban-client set loglevel DEBUG
```

`tail -f /var/log/fail2ban.log` — Watch fail2ban log in real-time.

```bash
tail -f /var/log/fail2ban.log
```

`fail2ban-client get <jail> logpath` — Show which log file a jail monitors.

```bash
sudo fail2ban-client get sshd logpath
```

## Common Patterns

`fail2ban-client status sshd | grep 'Banned IP'` — Quick check for banned SSH IPs.

```bash
sudo fail2ban-client status sshd | grep 'Banned IP'
```

`fail2ban-client set <jail> bantime 86400` — Set ban time to 24 hours.

```bash
sudo fail2ban-client set sshd bantime 86400
```

`fail2ban-client set <jail> bantime -1` — Set permanent ban (never auto-unban).

```bash
sudo fail2ban-client set sshd bantime -1
```

`zgrep 'Ban' /var/log/fail2ban.log*` — Search for all bans in current and rotated logs.

```bash
zgrep 'Ban' /var/log/fail2ban.log*
```

<!-- PROSE:outro -->
## Conclusion

Fail2ban belongs on every server that is reachable from the internet: even the bundled `sshd` jail drastically cuts down the noise from brute-force attempts. Two things are worth remembering: put your own changes in `jail.local`, not `jail.conf` – the latter is overwritten on updates. And add your own IP address to the `ignoreip` whitelist so you never lock yourself out by accident.

## Further Reading

- [Fail2ban – official wiki](https://github.com/fail2ban/fail2ban/wiki) – documentation and configuration examples
- [fail2ban-client(1) – manual page](https://manpages.ubuntu.com/manpages/noble/en/man1/fail2ban-client.1.html) – every option at a glance
- [Fail2ban – Wikipedia](https://en.wikipedia.org/wiki/Fail2ban) – background and how it works
<!-- PROSE:outro:end -->

## Related Commands

- [age](https://www.jpkc.com/db/en/cheatsheets/security/age/) – encrypt files and secrets
- [clamav](https://www.jpkc.com/db/en/cheatsheets/security/clamav/) – antivirus scanner for Linux servers
- [firewalld](https://www.jpkc.com/db/en/cheatsheets/security/firewalld/) – manage firewall rules dynamically