Note: Fail2Ban can reduce the rate of incorrect authentications attempts but cannot eliminate the risk weak authentication presents.


Installing fail2ban package in Debian:

# apt-get install fail2ban

Check it was properly installed:

# fail2ban-client -h


To configure fail2ban, make a local copy of the jail.conf file in /etc/fail2ban:

# cd /etc/fail2ban
# cp jail.conf jail.local

Edit the file:

# vi jail.local

Set the IPs you want fail2ban to ignore (the list of clients that are not subject to the fail2ban policies), the ban time (in seconds) and maximum number of user attempts:

# "ignoreip" can be an IP address, a CIDR mask or a DNS host
ignoreip =
bantime  = 3600
maxretry = 3

Jails are the rules which fail2ban apply to a given application/log.

To enable log monitoring for Nginx login attempts, enable the nginx-http-auth jail:


enabled  = true
filter   = nginx-http-auth
port     = http,https
logpath  = /var/log/nginx/error.log
maxretry = 6

For apache:


enabled  = true
port     = http,https
filter   = apache-auth
logpath  = /var/log/apache*/*error.log
maxretry = 6

To tweak or add log filters, see the files in /etc/fail2ban/filter.d.

Restart fail2ban.


To test fail2ban, look at the iptable rules before and after attempting to log in to a service that fail2ban is monitoring from another machine and look at the iptable rules to see if that IP source gets added:

# iptables -L 


To check if an IP is banned (in Nginx):

$ sudo fail2ban-client status nginx-naxsi

To unban an IP address:

$ sudo fail2ban-client set nginx-naxsi unbanip

To see all jails:

$ sudo fail2ban-client status
[sudo] password for nina: 
|- Number of jail:	25
`- Jail list: http-get-dos, nginx-noscript, proftpd, WP-Login-POST, nginx-login, spam-log, wppingback, postfix-sasl, nginx-conn-limit, nginx-proxy, nginx-auth, block-scanners, nginx-naxsi, nginx-badbots, BASH, sshd, pam-generic, named-refused-udp, postfix, WP-Login, ssh-ddos, wordpress, webmin-auth, dovecot, ssh

Note for Apache

Fail2ban scans log files like /var/log/apache/error_log, /var/log/auth.log and /var/log/apache/access.log and temporarily or persistently bans failure-prone addresses by updating existing firewall rules. Out of the box Fail2Ban comes with filters for various services (apache, courier, ssh, etc).