Skip to content

How to Configure Fail2Ban Jails for SSH, Nginx and Apache

DodaTech 2 min read

In this tutorial, you'll learn about How to Configure Fail2Ban Jails for SSH, Nginx and Apache. We cover key concepts, practical examples, and best practices.

The Problem

Your server is under brute-force attack on SSH, Nginx, or Apache, and you need Fail2Ban to automatically block repeated failed login attempts and malicious requests.

Quick Fix

Enable the SSH Jail

sudo tee /etc/fail2ban/jail.local << 'EOF'
[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 5
bantime = 3600
EOF
sudo systemctl restart fail2ban
# (no output)

The SSH jail monitors /var/log/auth.log for failed authentication attempts. After 5 retries (maxretry), the IP is banned for 1 hour (bantime).

Enable the Nginx Jail

sudo tee -a /etc/fail2ban/jail.local << 'EOF'
[nginx-http-auth]
enabled = true
port = http,https
filter = nginx-http-auth
logpath = /var/log/nginx/error.log
maxretry = 5
bantime = 3600
findtime = 600
EOF
sudo systemctl restart fail2ban
# (no output)

The nginx-http-auth filter detects HTTP 401 errors caused by failed basic authentication. Use nginx-botsearch to block scanners hitting non-existent URLs.

Enable the Apache Jail

sudo tee -a /etc/fail2ban/jail.local << 'EOF'
[apache-auth]
enabled = true
port = http,https
filter = apache-auth
logpath = /var/log/apache2/error.log
maxretry = 3
bantime = 7200
findtime = 600
EOF
sudo systemctl restart fail2ban

The apache-auth jail blocks IPs after 3 failed authentication attempts within 10 minutes (findtime). Apache's error log path may differ on RHEL-based systems (/var/log/httpd/).

Check Jail Status and Unban IPs

sudo fail2ban-client status sshd
# Status for the jail: sshd
# |- Filter
# |  |- Currently failed: 0
# |  |- Total failed:     23
# |  `- File list:        /var/log/auth.log
# `- Actions
#    |- Currently banned: 1
#    |- Total banned:     12
#    `- Banned IP list:   192.168.1.100
sudo fail2ban-client set sshd unbanip 192.168.1.100
# 1

Use fail2ban-client status <jail> to see banned IPs. Use unbanip to manually unblock a legitimate IP that was banned.

Test Jail Filters with fail2ban-regex

sudo fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/sshd.conf
# Running tests
# ===== Results =====
# Failregex: 15 total
# Ignoreregex: 0 total
# Date template hits: 15

Before enabling a new jail, test its filter regex against your log files with fail2ban-regex. This ensures the filter matches the actual log format on your system, avoiding false negatives or positives.

Additional Troubleshooting

# Check the error message and stack trace for more context
echo "Review the full error output to identify the root cause"

If the above steps do not resolve the issue, examine the complete error message and stack trace. Often the key detail is in the middle of the traceback rather than the final line. Search for the error message in the project documentation or issue tracker for additional solutions.

Prevention

  • Always configure a jail.local file — never edit jail.conf directly (it gets overwritten on upgrades)
  • Set bantime to a reasonable value (1 hour for most cases, permanent for aggressive scanners)
  • Add your own IP to ignoreip in jail.local to avoid locking yourself out
  • Test with fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/sshd.conf before enabling a jail

Built by the developers of DodaTech

Doda Browser, DodaZIP & Durga Antivirus Pro