Many bad hackers try to login my Linux server every days because they want to steal my data and use my server for bad things. They use robot programs that try thousands of passwords very fastly, this is what peoples call brute force attack. If you have Linux server with SSH open to the internet, you will see many bad try in your log files and it make server very slow and dangerous. Fail2ban is very good program that can watch this log files and see if someone try wrong password too many times. When Fail2ban see this bad peoples, it will talk to the firewall and block their IP address so they cannot try to login again for long time.
I will show you how to install and make Fail2ban work for your SSH very easily. You do not need to be big genius for do this because I write all steps very simple. This program is like security guard for your server that never sleeps and always watch who want to come inside.
Step 1: Install Fail2ban on your server
First you must open your terminal and connect to your Linux server. We need to install the Fail2ban package because usually it is not installed when you first buy server.
If you use Ubuntu or Debian Linux, you must type this command in your terminal:
sudo apt update
sudo apt install fail2ban -yIf you use CentOS or Rocky Linux or Fedora, you must type this command instead:
sudo dnf install epel-release -y
sudo dnf install fail2ban -yWhen you run this command, your server will download Fail2ban from internet and install it. It will take only one or two minutes because the program is very small and fast to install.
Step 2: Create the SSH jail config file
Now we must tell Fail2ban what it need to do for protect our SSH. In Fail2ban, we call the config for one service a jail. We should not change the main config file because if the program update, our config will be gone. So we make new file called sshd.local.
You can write this command to make the file and put our config inside it directly:
sudo tee /etc/fail2ban/jail.d/sshd.local > /dev/null <<'EOF'
[sshd]
enabled = true
backend = systemd
maxretry = 3
findtime = 10m
bantime = 1h
bantime.increment = true
bantime.factor = 4
EOFThis command is very cool because it make the file and write everything inside at same time. Let me explain what all these words mean so you can understand what you do:
- The first line is [sshd] which mean we want to make rules for the SSH program.
- The line enabled = true tell Fail2ban that it must start working for SSH right now. If you write false, it will do nothing.
- The line backend = systemd is very important because newer Linux use systemd to save logs. It tell Fail2ban to look inside systemd logs to find bad peoples trying to guess passwords.
- The line maxretry = 3 mean if someone write wrong password three times, they will get blocked. Three times is very good because sometimes you make mistake when you write your own password, but bad hacker will try hundreds of times.
- The line findtime = 10m mean Fail2ban will count the wrong passwords inside ten minutes. If someone make three wrong try in ten minutes, they get ban. If they make one wrong try now and one wrong try tomorrow, they will not get ban.
- The line bantime = 1h mean the bad hacker cannot try to connect for one hour. This is the starting ban time.
- The line bantime.increment = true is super smart. It means if the same hacker come back after one hour and try to hack again, Fail2ban will remember them and make the next ban time much longer.
- The line bantime.factor = 4 is how we make the ban time grow up. It use math to calculate.
The first ban is one hour. If they try again and get ban second time, the ban time is one hour multiply by four, which is four hours. The third ban will be sixteen hours. The fourth ban will be sixty four hours. This is very good because bad hackers who do not stop will get ban forever.
Step 3: Start Fail2ban service
After we make the config file, we must start the Fail2ban service so it can read our new rules. If you do not start it, nothing will happen.
Run this command to make Fail2ban start now and also start automatically every time your server reboot:
sudo systemctl enable --now fail2banThis command is very good because –now mean it start immediately, so you do not need to run two different commands.
Step 4: Check if Fail2ban is working
We need to make sure Fail2ban is running good and watching our SSH. We can use the Fail2ban client tool to check the status.
Type this command in your terminal:
sudo fail2ban-client status sshdWhen you run this, you will see some lines in your terminal. It will tell you that the jail is enabled and it will show you how many IPs are currently banned. It also show you total failures, which is how many times bad hackers tried to guess passwords and failed. If your server is new, maybe the number is zero. But if your server is online for many days, you will see many banned IPs here because hackers are always searching for servers to hack.
Step 5: How to unban your own IP address
Sometimes you might write your password wrong three times and then Fail2ban will ban you too. You will not be able to connect to your server from your home anymore. This is very sad but you can fix it if you have another IP address or if you can connect from server console in your cloud provider website.
If you get banned, you can unban your IP address with this command:
sudo fail2ban-client set sshd unbanip YOUR_IP_ADDRESSYou must change YOUR_IP_ADDRESS with your real internet IP address. You can find your IP address if you search on Google “what is my IP”. Once you run this command, Fail2ban will delete your IP from the firewall block list and you can try to login again. Please be very careful and do not write wrong password again.
I hope this guide help you to make your Linux server much more safe. Fail2ban is very easy but very strong program that every server administrator should use. Now your SSH is safe from bad hackers who try to brute force your passwords.
Conclusion
We have learned how to protect our SSH server from bad people using Fail2ban. It is very easy to install and it automatically blocks IPs that try to guess passwords too many times. By using the increment option, repeat hackers get blocked for very long time which saves our server CPU and bandwidth.