Fail2Ban & Server Security Guide
This guide covers installation, configuration, and protection for SSH, web apps, MySQL, FTP, Samba, and custom systems.
Install Fail2Ban
sudo apt update
sudo apt install fail2ban -y
sudo systemctl enable fail2ban
sudo apt install fail2ban -y
sudo systemctl enable fail2ban
Check Service Status
sudo systemctl status fail2ban
sudo fail2ban-client status
sudo fail2ban-client status
Basic Configuration
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo nano /etc/fail2ban/jail.local
ignoreip = 127.0.0.1/8 YOUR_IP
bantime = 3600
findtime = 600
maxretry = 3
sudo nano /etc/fail2ban/jail.local
ignoreip = 127.0.0.1/8 YOUR_IP
bantime = 3600
findtime = 600
maxretry = 3
Restart Fail2Ban
sudo systemctl restart fail2ban
SSH Protection
[sshd]
enabled = true
port = ssh
maxretry = 3
bantime = 3600
enabled = true
port = ssh
maxretry = 3
bantime = 3600
Apache Authentication Protection
[apache-auth]
enabled = true
port = http,https
logpath = /var/log/apache2/error.log
enabled = true
port = http,https
logpath = /var/log/apache2/error.log
Custom Login Protection
# Example log
LOGIN FAILED ip=192.168.1.10 user=admin
# Filter
sudo nano /etc/fail2ban/filter.d/myapp.conf
[Definition]
failregex = LOGIN FAILED.*ip=<HOST>
# Jail
[myapp]
enabled = true
filter = myapp
logpath = /var/log/myapp.log
LOGIN FAILED ip=192.168.1.10 user=admin
# Filter
sudo nano /etc/fail2ban/filter.d/myapp.conf
[Definition]
failregex = LOGIN FAILED.*ip=<HOST>
# Jail
[myapp]
enabled = true
filter = myapp
logpath = /var/log/myapp.log
MySQL Protection
# Enable logs
/var/log/mysql/error.log
# Filter
failregex = Access denied for user '.*'@'<HOST>'
# Jail
[mysql]
enabled = true
port = 3306
logpath = /var/log/mysql/error.log
/var/log/mysql/error.log
# Filter
failregex = Access denied for user '.*'@'<HOST>'
# Jail
[mysql]
enabled = true
port = 3306
logpath = /var/log/mysql/error.log
FTP Protection (vsftpd)
# Log
/var/log/vsftpd.log
# Filter
failregex = FAIL LOGIN: Client "<HOST>"
# Jail
[vsftpd]
enabled = true
port = ftp,ftp-data
logpath = /var/log/vsftpd.log
/var/log/vsftpd.log
# Filter
failregex = FAIL LOGIN: Client "<HOST>"
# Jail
[vsftpd]
enabled = true
port = ftp,ftp-data
logpath = /var/log/vsftpd.log
Samba Protection
# Log
/var/log/samba/log.smbd
# Filter
failregex = authentication.*FAILED.*from <HOST>
# Jail
[samba]
enabled = true
port = 445,139
logpath = /var/log/samba/log.smbd
/var/log/samba/log.smbd
# Filter
failregex = authentication.*FAILED.*from <HOST>
# Jail
[samba]
enabled = true
port = 445,139
logpath = /var/log/samba/log.smbd
Firewall Setup (UFW)
sudo ufw enable
sudo ufw allow 22
sudo ufw allow 80
sudo ufw allow 443
sudo ufw reload
sudo ufw allow 22
sudo ufw allow 80
sudo ufw allow 443
sudo ufw reload
Security Hardening
# Disable root SSH
PermitRootLogin no
# Change SSH port
Port 2222
# MySQL local only
bind-address = 127.0.0.1
# Disable anonymous FTP
anonymous_enable=NO
# Samba local network only
(block ports 445,139 from internet)
PermitRootLogin no
# Change SSH port
Port 2222
# MySQL local only
bind-address = 127.0.0.1
# Disable anonymous FTP
anonymous_enable=NO
# Samba local network only
(block ports 445,139 from internet)
Check Logs
sudo tail -f /var/log/auth.log
sudo tail -f /var/log/fail2ban.log
sudo tail -f /var/log/fail2ban.log
Common Problems & Fixes
# Fail2Ban not banning
sudo fail2ban-client status
# Wrong log path
check actual log file location
# Regex not matching
fail2ban-regex /log/file /filter.conf
# Locked yourself out
sudo fail2ban-client set sshd unbanip YOUR_IP
sudo fail2ban-client status
# Wrong log path
check actual log file location
# Regex not matching
fail2ban-regex /log/file /filter.conf
# Locked yourself out
sudo fail2ban-client set sshd unbanip YOUR_IP