Admin: New server guide

2026-04-14T20:00:30Z

New server guide

New page

Did you know that brute-force attacks are a common threat to server security? These attacks involve an attacker repeatedly trying different usernames and passwords to gain unauthorized access. Installing and configuring **Fail2Ban** is a proactive step to protect your server from such threats. Fail2Ban scans log files and temporarily or permanently bans IP addresses that show malicious signs, such as too many password failures.

== Prerequisites ==

Before you begin, ensure you have the following:

* A Linux server (this guide assumes a Debian/Ubuntu-based system).
* Root or sudo privileges on your server.
* SSH access to your server.
* Basic familiarity with the Linux command line.

== What is Fail2Ban? ==

Fail2Ban is an intrusion prevention software framework. It protects computer servers from brute-force attacks. It works by monitoring log files (like `/var/log/auth.log` for SSH login attempts) for suspicious activity. When it detects too many failed attempts from a single IP address, it automatically updates firewall rules to block that IP. Think of it like a digital bouncer at a club, who checks IDs and kicks out patrons causing trouble.

== Installation ==

Installing Fail2Ban is straightforward using your distribution's package manager.

1. Update your package list:
<pre>sudo apt update</pre>
2. Install Fail2Ban:
<pre>sudo apt install fail2ban</pre>

Fail2Ban will typically start automatically after installation.

== Configuration ==

Fail2Ban's configuration files are located in `/etc/fail2ban/`. The main configuration file is `jail.conf`. However, it's best practice to create a local configuration file, `jail.local`, to override default settings. This prevents your custom configurations from being overwritten during package updates.

1. Copy the default configuration file to a local file:
<pre>sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local</pre>
2. Edit the `jail.local` file using your preferred text editor (e.g., nano):
<pre>sudo nano /etc/fail2ban/jail.local</pre>

Inside `jail.local`, you'll find several sections. The `[DEFAULT]` section contains global settings that apply to all jails unless overridden.

=== Key Configuration Options ===

* `bantime`: The duration for which an IP address is banned. For example, `bantime = 1h` bans an IP for one hour.
* `findtime`: The time window during which failed attempts are counted. For example, `findtime = 10m` means attempts within a 10-minute window.
* `maxretry`: The number of failed attempts allowed within `findtime` before an IP is banned. For example, `maxretry = 5` means 5 failed attempts trigger a ban.
* `ignoreip`: A list of IP addresses that should never be banned. Add your own IP address here to avoid locking yourself out. For example, `ignoreip = 127.0.0.1/8 your_home_ip`.

=== Enabling Jails ===

Jails are specific rules for different services. By default, many jails are disabled. To enable a jail, find its section in `jail.local` and set `enabled = true`.

For SSH protection, the `[sshd]` jail is crucial. Ensure it's enabled:

```ini
[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 1d
```

In this example, the SSH jail is enabled, the `maxretry` is set to 3 failed attempts, and the `bantime` is set to 1 day. This is a more aggressive setting than the default, but effective.

=== Protecting Web Applications ===

Fail2Ban can also protect web applications by monitoring their logs. For example, to protect Apache web server logs:

```ini
[apache-auth]
enabled = true
port = http,https
filter = apache-auth
logpath = /var/log/apache2/error.log
maxretry = 6
```

This jail would monitor Apache's error log for authentication failures.

=== Protecting Mail Servers ===

If you run a mail server, Fail2Ban can help protect it from abuse. A common jail for Postfix is `[postfix]`:

```ini
[postfix]
enabled = true
port = smtp,ssmtp
filter = postfix
logpath = /var/log/mail.log
maxretry = 3
```

== Restarting Fail2Ban ==

After making changes to `jail.local`, you must restart the Fail2Ban service for the changes to take effect.

1. Restart the service:
<pre>sudo systemctl restart fail2ban</pre>
2. Check the status to ensure it's running without errors:
<pre>sudo systemctl status fail2ban</pre>

== Monitoring Fail2Ban ==

You can monitor Fail2Ban's activity and check which IPs are banned using the `fail2ban-client` command.

* Check the status of all jails:
<pre>sudo fail2ban-client status</pre>
* Check the status of a specific jail (e.g., `sshd`):
<pre>sudo fail2ban-client status sshd</pre>
* Unban an IP address:
<pre>sudo fail2ban-client set sshd unbanip 192.168.1.100</pre>

== Troubleshooting ==

* **IPs not getting banned:**
* Verify that the `logpath` in your `jail.local` file correctly points to the service's log file.
* Ensure the `filter` name matches the corresponding filter file in `/etc/fail2ban/filter.d/`.
* Check that the jail is enabled (`enabled = true`).
* Confirm that the IP address you are testing from is not listed in `ignoreip`.
* **Fail2Ban service not starting:**
* Check the Fail2Ban logs for error messages: `sudo journalctl -u fail2ban` or check `/var/log/fail2ban.log`.
* Ensure there are no syntax errors in your `jail.local` file.
* **Accidentally banned yourself:**
* If you've locked yourself out, you can unban your IP address from the command line using `sudo fail2ban-client set <jail_name> unbanip <your_ip_address>`.

== Advanced Usage and Considerations ==

* **Custom Filters:** You can create your own filters for applications not covered by default. These are placed in `/etc/fail2ban/filter.d/`.
* **Action Scripts:** Fail2Ban uses action scripts to perform banning. These can be customized in `/etc/fail2ban/action.d/`.
* **GPU Servers:** For demanding workloads, consider using dedicated GPU servers. Providers like [Immers Cloud](https://en.immers.cloud/signup/r/20241007-8310688-334/) offer GPU instances starting from $0.23/hr for inference to $4.74/hr for H200, which can be beneficial for AI/ML tasks that might indirectly benefit from robust server security.
* **Log Rotation:** Ensure your log rotation policies are set up correctly so that logs don't grow too large and that Fail2Ban can still access recent entries.

[[Category:Security]]
[[Category:Server Administration]]
[[Category:Linux]]

Installing and Configuring Fail2Ban - Revision history

Admin: New server guide