Back to tools

Configuration parameters

  • enabled: Enable or disable the jail
  • port: Ports to protect (comma separated)
  • protocol: Protocol (tcp, udp, any)
  • filter: Fail2Ban filter to use
  • logpath: Path to the log file to monitor
  • maxretry: Number of failed attempts before banning
  • findtime: Time window to count attempts (seconds)
  • bantime: Initial ban time (seconds)
  • bantime.increment: Progressively increase ban time
  • ignoreip: IPs that will never be banned

Example jail.local

[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 5
findtime = 600
bantime = 3600
              

Frequently Asked Questions

How to install and configure Fail2Ban to protect SSH on Linux?

Install Fail2Ban with `apt install fail2ban` (Debian/Ubuntu) or `yum install fail2ban` (CentOS/RHEL). The main configuration file is `/etc/fail2ban/jail.conf` but should not be edited directly. Create `/etc/fail2ban/jail.local` with `[sshd] enabled = true port = ssh logpath = %(sshd_log)s maxretry = 5 bantime = 3600 findtime = 600`. Restart with `systemctl restart fail2ban` and verify with `fail2ban-client status sshd`.

What are the recommended bantime, maxretry and findtime values for Fail2Ban?

Recommended Fail2Ban values depend on the service and exposure. For SSH: `maxretry = 5` (failed attempts before banning), `findtime = 600` (time window in seconds, 10 minutes), `bantime = 3600` (ban duration, 1 hour). For Internet-facing services use stricter values: `maxretry = 3`, `bantime = 86400` (24h). Fail2Ban supports `bantime.increment = true` which doubles ban time on each repeat offense.

How to configure Fail2Ban to protect Nginx against brute force attacks?

Fail2Ban includes predefined jails for Nginx. Enable them in `jail.local`: `[nginx-http-auth] enabled = true port = http,https filter = nginx-http-auth logpath = /var/log/nginx/error.log maxretry = 5 bantime = 3600`. To protect against malicious bots add `[nginx-badbots] enabled = true`. For rate limiting: `[nginx-limit-req] enabled = true`. Each jail uses specific filters in `/etc/fail2ban/filter.d/`.

How to configure Fail2Ban to protect Postfix and Dovecot on mail servers?

In `/etc/fail2ban/jail.local` add: `[postfix] enabled = true port = smtp,submission logpath = /var/log/mail.log maxretry = 3 bantime = 86400` and `[dovecot] enabled = true port = imap,imaps,pop3,pop3s logpath = /var/log/mail.log maxretry = 3 bantime = 86400`. The filters detect failed SMTP (AUTH LOGIN/PLAIN) and IMAP/POP3 authentication attempts. Monitor with `fail2ban-client status postfix` and `fail2ban-client status dovecot`.