How to Configure Fail2Ban Jails for SSH, Nginx and Apache
In this tutorial, you'll learn about How to Configure Fail2Ban Jails for SSH, Nginx and Apache. We cover key concepts, practical examples, and best practices.
The Problem
Your server is under brute-force attack on SSH, Nginx, or Apache, and you need Fail2Ban to automatically block repeated failed login attempts and malicious requests.
Quick Fix
Enable the SSH Jail
sudo tee /etc/fail2ban/jail.local << 'EOF'
[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 5
bantime = 3600
EOF
sudo systemctl restart fail2ban
# (no output)
The SSH jail monitors /var/log/auth.log for failed authentication attempts. After 5 retries (maxretry), the IP is banned for 1 hour (bantime).
Enable the Nginx Jail
sudo tee -a /etc/fail2ban/jail.local << 'EOF'
[nginx-http-auth]
enabled = true
port = http,https
filter = nginx-http-auth
logpath = /var/log/nginx/error.log
maxretry = 5
bantime = 3600
findtime = 600
EOF
sudo systemctl restart fail2ban
# (no output)
The nginx-http-auth filter detects HTTP 401 errors caused by failed basic authentication. Use nginx-botsearch to block scanners hitting non-existent URLs.
Enable the Apache Jail
sudo tee -a /etc/fail2ban/jail.local << 'EOF'
[apache-auth]
enabled = true
port = http,https
filter = apache-auth
logpath = /var/log/apache2/error.log
maxretry = 3
bantime = 7200
findtime = 600
EOF
sudo systemctl restart fail2ban
The apache-auth jail blocks IPs after 3 failed authentication attempts within 10 minutes (findtime). Apache's error log path may differ on RHEL-based systems (/var/log/httpd/).
Check Jail Status and Unban IPs
sudo fail2ban-client status sshd
# Status for the jail: sshd
# |- Filter
# | |- Currently failed: 0
# | |- Total failed: 23
# | `- File list: /var/log/auth.log
# `- Actions
# |- Currently banned: 1
# |- Total banned: 12
# `- Banned IP list: 192.168.1.100
sudo fail2ban-client set sshd unbanip 192.168.1.100
# 1
Use fail2ban-client status <jail> to see banned IPs. Use unbanip to manually unblock a legitimate IP that was banned.
Test Jail Filters with fail2ban-regex
sudo fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/sshd.conf
# Running tests
# ===== Results =====
# Failregex: 15 total
# Ignoreregex: 0 total
# Date template hits: 15
Before enabling a new jail, test its filter regex against your log files with fail2ban-regex. This ensures the filter matches the actual log format on your system, avoiding false negatives or positives.
Additional Troubleshooting
# Check the error message and stack trace for more context
echo "Review the full error output to identify the root cause"
If the above steps do not resolve the issue, examine the complete error message and stack trace. Often the key detail is in the middle of the traceback rather than the final line. Search for the error message in the project documentation or issue tracker for additional solutions.
Prevention
- Always configure a
jail.localfile — never editjail.confdirectly (it gets overwritten on upgrades) - Set
bantimeto a reasonable value (1 hour for most cases, permanent for aggressive scanners) - Add your own IP to
ignoreipinjail.localto avoid locking yourself out - Test with
fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/sshd.confbefore enabling a jail
Built by the developers of DodaTech
Doda Browser, DodaZIP & Durga Antivirus Pro