Fail2ban Installation and Configuration Guide for VPS

A comprehensive guide to secure your VPS with fail2ban, an intrusion prevention software that protects against brute-force attacks.

Prerequisites

• Ubuntu/Debian-based VPS with root or sudo access
• SSH access to your server
• A firewall (iptables or ufw) installed

Installation

sudo apt update
sudo apt install fail2ban -y

Enable fail2ban to start on boot:

sudo systemctl enable fail2ban
sudo systemctl start fail2ban

Configuration

Fail2ban uses a hierarchy of configuration files. Never modify jail.conf directly as it may be overwritten during updates. Instead, create a jail.local file for your customizations.

Basic Configuration

Create your local configuration file:

sudo tee /etc/fail2ban/jail.local << 'EOF'
[DEFAULT]
# Ban duration (1 hour)
bantime = 1h

# Time window for counting failures
findtime = 10m

# Number of failures before ban
maxretry = 3

# Progressive ban times for repeat offenders
bantime.increment = true
bantime.factor = 2
bantime.maxtime = 1w

# Ignore localhost
ignoreip = 127.0.0.1/8 ::1

[sshd]
enabled = true
mode = aggressive
port = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s
EOF

Restart fail2ban to apply changes:

sudo systemctl restart fail2ban

Configuration Options Explained

Option	Description	Recommended Value
bantime	Duration of the ban	1h to 24h
findtime	Time window for counting failures	10m
maxretry	Failures allowed before ban	3-5
ignoreip	IPs that should never be banned	Your static IP, localhost
mode	Filter aggressiveness (normal, ddos, extra, aggressive)	aggressive for SSH

Progressive Ban Configuration

For repeat offenders, enable progressive banning:

[DEFAULT]
bantime.increment = true
bantime.factor = 2
bantime.maxtime = 1w

This configuration doubles the ban time for each subsequent offense, up to a maximum of one week.

Protecting Additional Services

Traefik (Reverse Proxy)

[traefik-auth]
enabled = true
port = http,https
logpath = /var/log/traefik/access.log
maxretry = 5

Nginx

[nginx-http-auth]
enabled = true
port = http,https
logpath = %(nginx_error_log)s

[nginx-botsearch]
enabled = true
port = http,https
logpath = %(nginx_error_log)s

Apache

[apache-auth]
enabled = true
port = http,https
logpath = %(apache_error_log)s

[apache-badbots]
enabled = true
port = http,https
logpath = %(apache_access_log)s
bantime = 48h
maxretry = 1

Postfix (Mail Server)

[postfix]
enabled = true
mode = more
port = smtp,465,submission
logpath = %(postfix_log)s

[postfix-sasl]
enabled = true
port = smtp,465,submission,imap,imaps,pop3,pop3s
logpath = %(postfix_log)s

Recidive (Ban Repeat Offenders Across All Jails)

[recidive]
enabled = true
logpath = /var/log/fail2ban.log
banaction = %(banaction_allports)s
bantime = 1w
findtime = 1d
maxretry = 5

Management Commands

Check Status

# Overall fail2ban status
sudo fail2ban-client status

# Status of a specific jail
sudo fail2ban-client status sshd

View Banned IPs

sudo fail2ban-client status sshd | grep "Banned IP"

Manually Ban/Unban an IP

# Ban an IP
sudo fail2ban-client set sshd banip 192.168.1.100

# Unban an IP
sudo fail2ban-client set sshd unbanip 192.168.1.100

View Logs

# Real-time monitoring
sudo tail -f /var/log/fail2ban.log

# View recent bans
sudo grep "Ban" /var/log/fail2ban.log | tail -20

Test Configuration

# Check for syntax errors
sudo fail2ban-client -t

# Reload configuration
sudo systemctl reload fail2ban

Troubleshooting

Verify Jail is Active

sudo fail2ban-client status

Check Filter Regex

Test if the filter matches your log format:

sudo fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/sshd.conf

View iptables Rules Created by Fail2ban

sudo iptables -L -n | grep -A 10 f2b

Common Issues

Fail2ban not banning IPs: - Verify the log path is correct - Check if the filter regex matches your log format - Ensure the jail is enabled

IPs getting banned too quickly: - Increase maxretry value - Add your IP to ignoreip

Fail2ban not starting: - Check for syntax errors: sudo fail2ban-client -t - Review logs: sudo journalctl -u fail2ban

Security Best Practices

1. Whitelist your IP: Add your static IP to ignoreip to avoid locking yourself out
2. Use aggressive mode for SSH: The aggressive mode catches more attack patterns
3. Enable recidive jail: Permanently ban repeat offenders
4. Monitor logs regularly: Set up log rotation and monitoring
5. Combine with other security measures: Use fail2ban alongside SSH key authentication, firewall rules, and regular updates

Complete Example Configuration

Here's a production-ready jail.local for a typical VPS:

[DEFAULT]
bantime = 1h
findtime = 10m
maxretry = 3
bantime.increment = true
bantime.factor = 2
bantime.maxtime = 1w
ignoreip = 127.0.0.1/8 ::1

# Email notifications (optional)
# destemail = admin@example.com
# sender = fail2ban@example.com
# action = %(action_mwl)s

[sshd]
enabled = true
mode = aggressive
port = ssh
maxretry = 3

[recidive]
enabled = true
logpath = /var/log/fail2ban.log
banaction = %(banaction_allports)s
bantime = 1w
findtime = 1d
maxretry = 3

References

• Fail2ban Official Documentation
• Fail2ban GitHub Repository
• Filter configurations: /etc/fail2ban/filter.d/
• Action configurations: /etc/fail2ban/action.d/