Unix - Fail2ban and Brute-Force Protection in UNIX/Linux

1. What Is a Brute-Force Attack?

A brute-force attack is a security attack in which an attacker repeatedly tries different usernames and passwords to gain unauthorized access to a system.

Common targets in UNIX/Linux:

  • SSH (port 22)

  • FTP

  • Web login pages

  • Mail servers

Example:

An attacker tries thousands of passwords on SSH until one works.

2. What Is Fail2ban?

Fail2ban is a log-based intrusion prevention tool for UNIX/Linux systems.

It:

  • Monitors system and application log files

  • Detects repeated failed login attempts

  • Automatically blocks the attacker’s IP address using firewall rules

➡️ Fail2ban prevents brute-force attacks by banning malicious IPs.

3. How Fail2ban Works (Step-by-Step)

  1. A user tries to log in (e.g., SSH)

  2. The login fails multiple times

  3. Fail2ban reads log files (like /var/log/auth.log)

  4. If failures exceed a limit:

    • The IP is banned

    • Firewall rule is added (iptables / nftables / firewalld)

  5. After a time period, the IP may be unbanned automatically

4. Fail2ban Architecture

Main Components:

Component Description
Filters Define what a failed attempt looks like
Jails Combine filters + actions
Actions What to do when attack is detected
Log files Source of failed login data

5. Important Fail2ban Terms

1️⃣ Filter

  • A regex pattern to detect failed login attempts in logs

  • Located in:

    /etc/fail2ban/filter.d/

Example:

Failed password for

2️⃣ Jail

  • A rule set that tells Fail2ban:

    • Which service to protect

    • How many failures allowed

    • Ban duration

Defined in:

/etc/fail2ban/jail.local

3️⃣ Action

  • What happens when an IP is banned

  • Usually firewall blocking

Example actions:

  • iptables

  • nftables

  • firewalld

6. Key Fail2ban Configuration File

jail.local (Important)

[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 5
findtime = 600
bantime = 3600

Meaning:

  • maxretry = 5 → 5 failed attempts allowed

  • findtime = 600 → within 10 minutes

  • bantime = 3600 → banned for 1 hour

7. Installing Fail2ban (UNIX/Linux)

On Debian/Ubuntu:

sudo apt install fail2ban

On RHEL/CentOS:

sudo yum install fail2ban

Start service:

sudo systemctl start fail2ban
sudo systemctl enable fail2ban

8. Checking Fail2ban Status

Overall status:

sudo fail2ban-client status

SSH jail status:

sudo fail2ban-client status sshd

Output includes:

  • Currently banned IPs

  • Total failures

  • Jail status

9. Manual Ban and Unban

Ban IP manually:

sudo fail2ban-client set sshd banip 192.168.1.10

Unban IP:

sudo fail2ban-client set sshd unbanip 192.168.1.10

10. How Fail2ban Blocks IPs

Fail2ban integrates with:

  • iptables

  • nftables

  • firewalld

Example (iptables rule):

iptables -A INPUT -s <IP> -j DROP

11. Advantages of Fail2ban

  • Automatic brute-force protection

  • Low system overhead

  • Works with many services (SSH, FTP, Apache, Nginx)

  • Highly configurable

  • Open-source

12. Limitations of Fail2ban

  • Only blocks after failed attempts

  • Does not stop distributed attacks completely

  • Needs correct log configuration

  • Depends on log accuracy

13. Other Brute-Force Protection Methods in UNIX