Fail2ban — Block Brute-Force Attacks Automatically
Practical guide to Fail2ban — monitor log files, ban IPs via the firewall and stop brute-force attacks on SSH and more with fail2ban-client.
Fail2ban is your automatic bouncer against brute-force attacks: the tool continuously scans log files – such as SSH authentication logs – for failed login attempts. When a single IP racks up too many hits within a time window, Fail2ban bans it automatically through the firewall (iptables or nftables). Its configuration is organised into jails – one rule set per service (for example sshd), each combining a filter, an action and thresholds. Everything is driven through fail2ban-client. This guide walks you through the commands you reach for daily – from status checks through manual bans to testing your own filter regexes.
Service Management
fail2ban-client status — Show overall status and list of active jails.
sudo fail2ban-client statusfail2ban-client status <jail> — Show status of a specific jail (banned IPs, failures).
sudo fail2ban-client status sshdfail2ban-client start — Start the fail2ban server.
sudo fail2ban-client startfail2ban-client stop — Stop the fail2ban server.
sudo fail2ban-client stopfail2ban-client reload — Reload configuration without restarting.
sudo fail2ban-client reloadfail2ban-client reload <jail> — Reload a specific jail configuration.
sudo fail2ban-client reload sshdBan & Unban
fail2ban-client set <jail> banip <ip> — Manually ban an IP in a jail.
sudo fail2ban-client set sshd banip 192.168.1.100fail2ban-client set <jail> unbanip <ip> — Unban an IP from a jail.
sudo fail2ban-client set sshd unbanip 192.168.1.100fail2ban-client unban <ip> — Unban an IP from all jails.
sudo fail2ban-client unban 192.168.1.100fail2ban-client unban --all — Unban all IPs from all jails.
sudo fail2ban-client unban --allfail2ban-client banned — Show all currently banned IPs across all jails.
sudo fail2ban-client bannedJail Configuration
fail2ban-client get <jail> maxretry — Show the max retry count for a jail.
sudo fail2ban-client get sshd maxretryfail2ban-client set <jail> maxretry <n> — Set max retries before ban (runtime).
sudo fail2ban-client set sshd maxretry 3fail2ban-client get <jail> bantime — Show the ban duration for a jail.
sudo fail2ban-client get sshd bantimefail2ban-client set <jail> bantime <seconds> — Set ban duration (runtime).
sudo fail2ban-client set sshd bantime 3600fail2ban-client get <jail> findtime — Show the time window for counting failures.
sudo fail2ban-client get sshd findtimefail2ban-client set <jail> addignoreip <ip> — Whitelist an IP (never ban) – ideal for your own IP so you do not lock yourself out.
sudo fail2ban-client set sshd addignoreip 10.0.0.1Filter Testing
fail2ban-regex <logfile> <filter> — Test a filter regex against a log file.
sudo fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/sshd.conffail2ban-regex '<log-line>' '<regex>' — Test a regex against a single log line.
fail2ban-regex 'Failed password for root from 1.2.3.4' 'Failed .* from <HOST>'fail2ban-regex --print-all-matched <logfile> <filter> — Show all matching lines from a log file.
sudo fail2ban-regex --print-all-matched /var/log/nginx/error.log /etc/fail2ban/filter.d/nginx-http-auth.confLogs & Debugging
fail2ban-client get loglevel — Show the current log level.
sudo fail2ban-client get loglevelfail2ban-client set loglevel <level> — Set log level (CRITICAL, ERROR, WARNING, NOTICE, INFO, DEBUG).
sudo fail2ban-client set loglevel DEBUGtail -f /var/log/fail2ban.log — Watch fail2ban log in real-time.
tail -f /var/log/fail2ban.logfail2ban-client get <jail> logpath — Show which log file a jail monitors.
sudo fail2ban-client get sshd logpathCommon Patterns
fail2ban-client status sshd | grep 'Banned IP' — Quick check for banned SSH IPs.
sudo fail2ban-client status sshd | grep 'Banned IP'fail2ban-client set <jail> bantime 86400 — Set ban time to 24 hours.
sudo fail2ban-client set sshd bantime 86400fail2ban-client set <jail> bantime -1 — Set permanent ban (never auto-unban).
sudo fail2ban-client set sshd bantime -1zgrep 'Ban' /var/log/fail2ban.log* — Search for all bans in current and rotated logs.
zgrep 'Ban' /var/log/fail2ban.log*Conclusion
Fail2ban belongs on every server that is reachable from the internet: even the bundled sshd jail drastically cuts down the noise from brute-force attempts. Two things are worth remembering: put your own changes in jail.local, not jail.conf – the latter is overwritten on updates. And add your own IP address to the ignoreip whitelist so you never lock yourself out by accident.
Further Reading
- Fail2ban – official wiki – documentation and configuration examples
- fail2ban-client(1) – manual page – every option at a glance
- Fail2ban – Wikipedia – background and how it works