Credit: Thinkstock The fail2ban tool in Linux monitors system logs for signs of attacks, putting offending systems into what is called “jail”, and modifying firewall settings. It shows what systems are in jail at any given time, and requires root access to configure and view findings. It’s generally used on Linux servers. fail2ban primarily focuses on SSH attacks, but can be configured to look for other kinds of attacks as well. How to install fail2ban on Fedora 34 To prepare for installing fail2ban, it’s a good idea to update the system first: $ sudo dnf update && sudo dnf upgrade -y Then install fail2ban and verify its presence on your system with commands like these: $ sudo dnf install fail2ban $ find /var -name fail2ban /var/lib/fail2ban To start the service, run these commands: $ sudo systemctl start fail2ban $ sudo systemctl enable fail2ban Next, you need to set up a jail.local file in /etc/fail2ban. Adding content like this will allow it to watch for failed SSH connections, which could indicate someone trying to login by guessing passwords. $ cat /etc/fail2ban/jail.local [sshd] enabled = true port = 22 filter = sshd logpath = /var/log/fail2ban.log maxretry = 3 Note that the above will get fail2ban to block ssh connections after three failed login attempts (see the maxretry setting). You can change these settings if you want, but allowing three chances is fairly common. Even legitimate users mistype passwords from time to time. fail2ban will automatically add rules to your firewall to protect your server. A command like this will display the effect in the firewall rules: $ sudo iptables -n -L --line-numbers | grep unreachable 2 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable Testing fail2ban actions If you try to log into an account from a different system using SSH, but mistype the password three times in a row, the account should be blocked. You can then view the jailed systems with a command like this: $ sudo fail2ban-client status sshd Status for the jail: sshd |- Filter | |- Currently failed: 0 | |- Total failed: 3 | `- Journal matches: _SYSTEMD_UNIT=sshd.service + _COMM=sshd `- Actions |- Currently banned: 1 |- Total banned: 1 `- Banned IP list: 192.168.0.17 Since this was intended as just a test to see how the tool works, you likely want to re-enable the system to connect to the server. You can get a system immediately out of jail with a command like this: $ sudo fail2ban-client set sshd unbanip 192.168.0.17 Read "unbanip" as "un-ban IP". If you add a bantime setting to your jail.local file, you can limit how long the lockout will last. The value must be specified in seconds: $ cat jail.local [sshd] enabled = true port = 22 filter = sshd logpath = /var/log/auth.log maxretry = 3 bantime = 120 In the above example, we've only locked users out for two minutes (120 seconds). This allows us to wait a bit and then check to ensure that we can log in again. The timeout defaults to 10 minutes (600 seconds). After you fail to log in from the other system, you will see something like this when you check fail2ban: $ sudo fail2ban-client status sshd [sudo] password for shs: Status for the jail: sshd |- Filter | |- Currently failed: 0 | |- Total failed: 3 | `- Journal matches: _SYSTEMD_UNIT=sshd.service + _COMM=sshd `- Actions |- Currently banned: 1 When trying to connect from the blocked system, you will see "Connection refused" messages. After two minutes, you can try logging in again. On the server, you will also see the change reflected in the status output: $ sudo fail2ban-client status sshd [sudo] password for shs: Status for the jail: sshd |- Filter | |- Currently failed: 0 | |- Total failed: 3 | `- Journal matches: _SYSTEMD_UNIT=sshd.service + _COMM=sshd `- Actions |- Currently banned: 0 Viewing fail2ban's log data You can find evidence of fail2ban's activities in its log file. Notice that the first ban lasted 10 minutes (the default) and the second two only two (after changing settings for the test). $ sudo egrep "Ban|Unban" /var/log/fail2ban.log 2022-03-10 15:20:50,913 fail2ban.actions [3870239]: NOTICE [sshd] Ban 192.168.0.17 2022-03-10 15:30:50,012 fail2ban.actions [3870239]: NOTICE [sshd] Unban 192.168.0.17 2022-03-11 11:34:09,024 fail2ban.actions [4055193]: NOTICE [sshd] Ban 192.168.0.17 2022-03-11 11:36:09,011 fail2ban.actions [4055193]: NOTICE [sshd] Unban 192.168.0.17 2022-03-11 12:18:23,825 fail2ban.actions [4057814]: NOTICE [sshd] Ban 192.168.0.17 2022-03-11 12:20:23,778 fail2ban.actions [4057814]: NOTICE [sshd] Unban 192.168.0.17 Wrap-Up The fail2ban tool can also work with other connections besides SSH and can even be configured to send alerts in addition to jailing and un-jailing connections based on your selected settings. Related content how-to Compressing files using the zip command on Linux The zip command lets you compress files to preserve them or back them up, and you can require a password to extract the contents of a zip file. By Sandra Henry-Stocker May 13, 2024 4 mins Linux opinion NSA, FBI warn of email spoofing threat Email spoofing is acknowledged by experts as a very credible threat. By Sandra Henry-Stocker May 13, 2024 3 mins Linux how-to The logic of && and || on Linux These AND and OR equivalents can be used in scripts to determine next actions. By Sandra Henry-Stocker May 02, 2024 4 mins Linux how-to Using the apropos command on Linux By Sandra Henry-Stocker Apr 24, 2024 3 mins Linux PODCASTS VIDEOS RESOURCES EVENTS NEWSLETTERS Newsletter Promo Module Test Description for newsletter promo module. Please enter a valid email address Subscribe