{"id":9239,"date":"2024-03-07T02:47:46","date_gmt":"2024-03-06T23:47:46","guid":{"rendered":"https:\/\/sunucun.com.tr\/bilgi\/?post_type=dt_articles&#038;p=9239"},"modified":"2026-06-05T15:25:57","modified_gmt":"2026-06-05T12:25:57","slug":"how-to-use-fail2ban-for-ssh","status":"publish","type":"post","link":"https:\/\/sunucun.com.tr\/blog\/how-to-use-fail2ban-for-ssh\/","title":{"rendered":"How to Use Fail2Ban for SSH"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_84 ez-toc-wrap-center counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<span class=\"ez-toc-title-toggle\"><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/sunucun.com.tr\/blog\/how-to-use-fail2ban-for-ssh\/#Before_You_Begin\" >Before You Begin<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/sunucun.com.tr\/blog\/how-to-use-fail2ban-for-ssh\/#Installing_And_Configuring_Fail2Ban\" >Installing And Configuring Fail2Ban<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/sunucun.com.tr\/blog\/how-to-use-fail2ban-for-ssh\/#Creating_SSH_Jails_With_Fail2Ban\" >Creating SSH Jails With Fail2Ban<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/sunucun.com.tr\/blog\/how-to-use-fail2ban-for-ssh\/#Testing_Fail2Ban\" >Testing Fail2Ban<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/sunucun.com.tr\/blog\/how-to-use-fail2ban-for-ssh\/#Monitoring_With_Fail2Ban-Client\" >Monitoring With Fail2Ban-Client<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/sunucun.com.tr\/blog\/how-to-use-fail2ban-for-ssh\/#i\" >\u00a0<\/a><\/li><\/ul><\/nav><\/div>\n\r\n<p class=\"wp-block-paragraph\">Fail2Ban is an intrusion prevention framework written in Python that protects Linux systems and servers from brute-force attacks. You can setup Fail2Ban to provide brute-force protection for SSH on your server. This ensures that your server is secure from brute-force attacks. It also allows you to monitor the strength of the attacks in regards to the number of authentication attempts that are being made.<\/p>\r\n\r\n\r\n\r\n<p class=\"wp-block-paragraph\">Brute-force attacks can be extremely powerful and may result in thousands of failed authentication attempts per day. It is therefore vital to understand how to protect your server from these attacks and how to block IP addresses. Fail2Ban allows you to automate the process of blocking brute-force attacks by limiting the number of failed authentication attempts a user can make before being blocked. This is extremely useful for servers that have user accounts that utilize passwords for remote authentication as opposed to SSH key-pair authentication.<\/p>\r\n\r\n\r\n\r\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Before_You_Begin\"><\/span>Before You Begin<span class=\"ez-toc-section-end\"><\/span><\/h2>\r\n\r\n\r\n\r\n<blockquote class=\"wp-block-quote is-style-plain has-text-color has-background has-link-color wp-elements-c1436efb60d425079f47735974e9d29d is-layout-flow wp-block-quote-is-layout-flow\" style=\"color: #000000; background-color: #ffffff;\">\r\n<p class=\"wp-block-paragraph\">Note<\/p>\r\n<cite>This guide uses Ubuntu, but the commands are similar for other systems.<\/cite><\/blockquote>\r\n\r\n\r\n\r\n<ol class=\"wp-block-list\">\r\n<li>Complete the\u00a0Getting Started\u00a0guide.<\/li>\r\n\r\n\r\n\r\n<li>Follow the\u00a0Setting Up and Securing a Compute Instance\u00a0guide to create a standard user account, and harden SSH access, but do not create a basic firewall.<\/li>\r\n\r\n\r\n\r\n<li>Log into your Linode via SSH and update and upgrade.<\/li>\r\n<\/ol>\r\n\r\n\r\n\r\n<pre class=\"wp-block-code\"><code>sudo apt update &amp;&amp; sudo apt upgrade\r\n<\/code><\/pre>\r\n\r\n\r\n\r\n<blockquote class=\"wp-block-quote is-style-plain has-text-color has-background has-link-color wp-elements-366724debdb514f5cb03396986802117 is-layout-flow wp-block-quote-is-layout-flow\" style=\"color: #000000; background-color: #ffffff;\">\r\n<p class=\"wp-block-paragraph\">Note<\/p>\r\n<cite>This guide is written for a non-root user. Commands that require elevated privileges are prefixed with\u00a0<code>sudo<\/code>. If you\u2019re not familiar with the\u00a0<code>sudo<\/code>\u00a0command, see our\u00a0Users and Groups\u00a0guide.<\/cite><\/blockquote>\r\n\r\n\r\n\r\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Installing_And_Configuring_Fail2Ban\"><\/span>Installing And Configuring Fail2Ban<span class=\"ez-toc-section-end\"><\/span><\/h2>\r\n\r\n\r\n\r\n<p class=\"wp-block-paragraph\">Fail2Ban is free to use and can be installed through most of the popular package managers.<\/p>\r\n\r\n\r\n\r\n<ol class=\"wp-block-list\">\r\n<li>Install Fail2Ban by running the following command:<\/li>\r\n<\/ol>\r\n\r\n\r\n\r\n<pre class=\"wp-block-code\"><code>sudo apt-get install fail2ban<\/code><\/pre>\r\n\r\n\r\n\r\n<p class=\"wp-block-paragraph\">2. To ensure that Fail2ban runs on system startup, use the following command:<\/p>\r\n\r\n\r\n\r\n<pre class=\"wp-block-code\"><code>sudo systemctl enable fail2ban.service<\/code><\/pre>\r\n\r\n\r\n\r\n<p class=\"wp-block-paragraph\">After the installation is complete, you can begin configuring Fail2Ban to set up a jail for your SSH server. The Fail2Ban configuration files are located in the\u00a0<code>\/etc\/fail2ban<\/code>\u00a0directory, as shown in the output below.<\/p>\r\n\r\n\r\n\r\n<pre class=\"wp-block-code\"><code>\/etc\/fail2ban$ ls -alps\r\ntotal 68\r\n 4 drwxr-xr-x  6 root root  4096 Oct 12 18:21 .\/\r\n 4 drwxr-xr-x 94 root root  4096 Oct 12 18:21 ..\/\r\n 4 drwxr-xr-x  2 root root  4096 Oct 12 18:21 action.d\/\r\n 4 -rw-r--r--  1 root root  2334 Jan 18  2018 fail2ban.conf\r\n 4 drwxr-xr-x  2 root root  4096 Apr  4  2018 fail2ban.d\/\r\n 4 drwxr-xr-x  3 root root  4096 Oct 12 18:21 filter.d\/\r\n24 -rw-r--r--  1 root root 22897 Jan 18  2018 jail.conf\r\n 4 drwxr-xr-x  2 root root  4096 Oct 12 18:21 jail.d\/\r\n 4 -rw-r--r--  1 root root   645 Jan 18  2018 paths-arch.conf\r\n 4 -rw-r--r--  1 root root  2827 Jan 18  2018 paths-common.conf\r\n 4 -rw-r--r--  1 root root   573 Jan 18  2018 paths-debian.conf\r\n 4 -rw-r--r--  1 root root   738 Jan 18  2018 paths-opensuse.conf<\/code><\/pre>\r\n\r\n\r\n\r\n<p class=\"wp-block-paragraph\">Fail2Ban uses the default configuration in the\u00a0<code>jail.conf<\/code>\u00a0file. However, it is not recommended to use the default configuration files as they can be overwritten by newer updates to the Fail2Ban package. The preferred approach to creating configurations for a particular service is by creating a new configuration file in the\u00a0<code>\/etc\/fail2ban<\/code>\u00a0directory with the\u00a0<code>.local<\/code>\u00a0extension.<\/p>\r\n\r\n\r\n\r\n<blockquote class=\"wp-block-quote is-style-plain has-text-color has-background has-link-color wp-elements-cc988697e3fe1e45adad4d3d3a50cb22 is-layout-flow wp-block-quote-is-layout-flow\" style=\"color: #000000; background-color: #ffffff;\">\r\n<p class=\"wp-block-paragraph\">Note<\/p>\r\n<cite>A Fail2ban jail is a configuration file that contains filters or arguments that protect your system or a particular service.<\/cite><\/blockquote>\r\n\r\n\r\n\r\n<h2 id=\"creating-ssh-jails-with-fail2ban\" class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Creating_SSH_Jails_With_Fail2Ban\"><\/span>Creating SSH Jails With Fail2Ban<span class=\"ez-toc-section-end\"><\/span><\/h2>\r\n\r\n\r\n\r\n<ol class=\"wp-block-list\">\r\n<li>Begin by creating a new file within the same directory called\u00a0<code>jail.local<\/code>. You can then add the necessary security configurations for the sshd jail.<\/li>\r\n<\/ol>\r\n\r\n\r\n\r\n<pre class=\"wp-block-code\"><code>sudo nano \/etc\/fail2ban\/jail.local\r\n<\/code><\/pre>\r\n\r\n\r\n\r\n<p class=\"wp-block-paragraph\">2. You can explore the options that Fail2Ban provides to customize the security and blocking of the SSH service.<\/p>\r\n\r\n\r\n\r\n<p class=\"wp-block-paragraph\">Fail2Ban Configuration Options:<br \/><br \/><strong> Configurations<\/strong> <strong>Function<\/strong><\/p>\r\n\r\n\r\n\r\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-8f761849 wp-block-columns-is-layout-flex\">\r\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\" style=\"flex-basis: 100%;\">\r\n<figure class=\"wp-block-table\">\r\n<table>\r\n<tbody>\r\n<tr>\r\n<td>enabled<\/td>\r\n<td>Jail status (true\/false) &#8211; This enables or disables the jail<\/td>\r\n<\/tr>\r\n<tr>\r\n<td>port<\/td>\r\n<td>Port specification<\/td>\r\n<\/tr>\r\n<tr>\r\n<td>filter<\/td>\r\n<td>Service specific filter (Log filter)<\/td>\r\n<\/tr>\r\n<tr>\r\n<td>logpath<\/td>\r\n<td>What log to use<\/td>\r\n<\/tr>\r\n<tr>\r\n<td>maxretry<\/td>\r\n<td>Number of attempts to make before a ban<\/td>\r\n<\/tr>\r\n<tr>\r\n<td>findtime<\/td>\r\n<td>Amount of time between failed login attempts<\/td>\r\n<\/tr>\r\n<tr>\r\n<td>bantime<\/td>\r\n<td>Number of seconds an IP is banned for<\/td>\r\n<\/tr>\r\n<tr>\r\n<td>ignoreip<\/td>\r\n<td>IP to be allowed<\/td>\r\n<\/tr>\r\n<\/tbody>\r\n<\/table>\r\n<\/figure>\r\n\r\n\r\n\r\n<p class=\"wp-block-paragraph\">&nbsp;<\/p>\r\n<\/div>\r\n<\/div>\r\n\r\n\r\n\r\n<p class=\"wp-block-paragraph\">3. With the information in table above you can create the\u00a0<code>jail.local<\/code>\u00a0configuration for OpenSSH server (sshd). Once you have entered the configuration options, the values used in this guide example are listed in the sample file below.<\/p>\r\n\r\n\r\n\r\n<blockquote class=\"wp-block-quote is-style-plain has-text-color has-background has-link-color wp-elements-955bc0b7d01e05557f777227904bdf4c is-layout-flow wp-block-quote-is-layout-flow\" style=\"color: #000000; background-color: #ffffff;\">\r\n<p class=\"wp-block-paragraph\">Note<\/p>\r\n<cite>You can customize the Fail2Ban configuration options and values as per your security requirements.<\/cite><\/blockquote>\r\n\r\n\r\n\r\n<pre class=\"wp-block-code\"><code><strong><sup>File: \/etc\/fail2ban\/jail.local\r\n<\/sup><\/strong>\r\n[sshd]\r\nenabled = true\r\nport = ssh\r\nfilter = sshd\r\nlogpath = \/var\/log\/auth.log\r\nmaxretry = 3\r\nfindtime = 300\r\nbantime = 3600\r\nignoreip = 127.0.0.1<\/code><\/pre>\r\n\r\n\r\n\r\n<blockquote class=\"wp-block-quote is-style-plain has-text-color has-background has-link-color wp-elements-22095e27e51e0ea7a63ba80c99456830 is-layout-flow wp-block-quote-is-layout-flow\" style=\"color: #000000; background-color: #ffffff;\">\r\n<p class=\"wp-block-paragraph\">Note<\/p>\r\n<cite>You can disable a Fail2Ban jail by setting the enabled configuration to false<\/cite><\/blockquote>\r\n\r\n\r\n\r\n<p class=\"wp-block-paragraph\">4. After you have specified the configuration options and their respective values, save the file and restart the Fail2Ban service with the following command:<\/p>\r\n\r\n\r\n\r\n<pre class=\"wp-block-code\"><code>sudo systemctl restart fail2ban.service<\/code><\/pre>\r\n\r\n\r\n\r\n<p class=\"wp-block-paragraph\">5. After restarting the OpenSSH server service, Fail2Ban uses this new configuration and the jail for the sshd service is activated and runs.<\/p>\r\n\r\n\r\n\r\n<p class=\"wp-block-paragraph\">6.You can now test this functionality by re-enabling\u00a0<code>PasswordAuthentication<\/code>\u00a0in the OpenSSH Configuration file found in\u00a0<code>\/etc\/ssh\/sshd_config<\/code>. Do this by changing the value from\u00a0<code>no<\/code>\u00a0to\u00a0<code>yes<\/code>\u00a0using the text editor of your choice. Make sure these lines are uncommented.<\/p>\r\n\r\n\r\n\r\n<pre class=\"wp-block-code\"><code>File: \/etc\/ssh\/sshd_config\r\n\r\n#To disable tunneled clear text passwords, change to no here!\r\nPasswordAuthentication yes\r\nPermitEmptyPasswords no<\/code><\/pre>\r\n\r\n\r\n\r\n<p class=\"wp-block-paragraph\">This allows users to use passwords for authentication in addition to SSH key-pairs. Fail2Ban automatically detects brute-force attempts on SSH and blocks the users automatically. This greatly improves the security of both password based authentication and the server and is useful for user accounts that do not have administrator privileges.<\/p>\r\n\r\n\r\n\r\n<h2 id=\"testing-fail2ban\" class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Testing_Fail2Ban\"><\/span>Testing Fail2Ban<span class=\"ez-toc-section-end\"><\/span><\/h2>\r\n\r\n\r\n\r\n<ol class=\"wp-block-list\">\r\n<li>To test this, create a new user account, let\u2019s call it\u00a0<code>dev<\/code>.<\/li>\r\n\r\n\r\n\r\n<li>Attempt to log into the\u00a0<code>dev<\/code>\u00a0account with an incorrect password three times.<\/li>\r\n\r\n\r\n\r\n<li>After three failed attempts you are blocked from authentication for an hour.<\/li>\r\n<\/ol>\r\n\r\n\r\n\r\n<pre class=\"wp-block-code\"><code>ssh dev@192.168.1.107\r\ndev@192.168.1.107's password:\r\nPermission denied, please try again.\r\ndev@192.168.1.107's password:\r\nPermission denied, please try again.\r\ndev@192.168.1.107's password:\r\ndev@192.168.1.107: Permission denied (publickey,password).\r\nssh dev@192.168.1.107\r\ndev@192.168.1.107's password:\r\nPermission denied, please try again.\r\ndev@192.168.1.107's password:\r\nConnection closed by 192.168.1.107 port 22\r\nsh dev@192.168.1.107\r\nssh: connect to host 192.168.1.107 port 22: Connection refused<\/code><\/pre>\r\n\r\n\r\n\r\n<p class=\"wp-block-paragraph\">As you can see in the output above, after three consecutive failed attempts, Fail2Ban actively blocks the SSH connection. After three consecutive failed attempts the connection times out and the user is blocked for the specified time. If you try connecting again within the blocked period, you get a \u201cConnection refused\u201d error and are not able to establish an SSH connection to the server.<\/p>\r\n\r\n\r\n\r\n<p class=\"wp-block-paragraph\">This demonstrates the power and robust nature of Fail2Ban and how it can be used to create elegant and effective firewalls for services like SSH. You can customize your service jails to meet your security requirements and easily implement new configuration options.<\/p>\r\n\r\n\r\n\r\n<p class=\"wp-block-paragraph\">After implementing and testing Fail2Ban you can now take a look at how to monitor and analyze the various failed authentication attempts and blocked IP\u2019s with the Fail2Ban-client.<\/p>\r\n\r\n\r\n\r\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Monitoring_With_Fail2Ban-Client\"><\/span>Monitoring With Fail2Ban-Client<span class=\"ez-toc-section-end\"><\/span><\/h2>\r\n\r\n\r\n\r\n<p class=\"wp-block-paragraph\">One of Fail2Ban\u2019s greatest advantages is that it allows you to actively monitor all the failed authentication attempts and the various IP addresses that have been blocked. This information helps you understand the scale of attacks you are facing and the geolocation of the attacks by analyzing the origins of the IP addresses.<\/p>\r\n\r\n\r\n\r\n<ol class=\"wp-block-list\">\r\n<li>You can use the Fail2Ban-client tool to check the status of Fail2Ban and the active jails. This can be done by running the following command:<\/li>\r\n<\/ol>\r\n\r\n\r\n\r\n<pre class=\"wp-block-code\"><code>sudo fail2ban-client status<\/code><\/pre>\r\n\r\n\r\n\r\n<pre class=\"wp-block-code\"><code>Status\r\n|- Number of jail:\t1\r\n`- Jail list:\tsshd<\/code><\/pre>\r\n\r\n\r\n\r\n<p class=\"wp-block-paragraph\">As shown in the output above, the active jail list is displayed with the names of the respective jails. In the case above you can see that the sshd jail is active.<\/p>\r\n\r\n\r\n\r\n<p class=\"wp-block-paragraph\">2. To view the status and information regarding a particular jail like sshd, you can use the following command:<\/p>\r\n\r\n\r\n\r\n<pre class=\"wp-block-code\"><code>sudo fail2ban-client status sshd<\/code><\/pre>\r\n\r\n\r\n\r\n<pre class=\"wp-block-code\"><code>Status for the jail: sshd\r\n|- Filter\r\n|  |- Currently failed:\t1\r\n|  |- Total failed:\t4\r\n|  `- File list:\t\/var\/log\/auth.log\r\n`- Actions\r\n   |- Currently banned:\t1\r\n   |- Total banned:\t1\r\n   `- Banned IP list:\t192.168.1.101<\/code><\/pre>\r\n\r\n\r\n\r\n<ol class=\"wp-block-list\">\r\n<li>The output above shows you the status and information regarding the sshd jail. You can see that you have four total failed authentication attempts and one banned IP address. This is helpful as it can alert you to potential targeted attacks.<\/li>\r\n<\/ol>\r\n\r\n\r\n\r\n<p class=\"wp-block-paragraph\">You have successfully been able to set up, implement, test, and analyze Fail2Ban for brute-force protection. You have completed setting up your remote authentication security.<\/p>\r\n\r\n\r\n\r\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"i\"><\/span>\u00a0<span class=\"ez-toc-section-end\"><\/span><\/h2>\r\n","protected":false},"excerpt":{"rendered":"<p>Fail2Ban is an intrusion prevention framework written in Python that protects Linux systems and servers from brute-force attacks. You can setup Fail2Ban to provide brute-force protection for SSH on your server. This ensures that your server is secure from brute-force attacks. It also allows you to monitor the strength of the attacks in regards to&hellip;<\/p>\n","protected":false},"author":1,"featured_media":9248,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_uf_show_specific_survey":0,"_uf_disable_surveys":false,"footnotes":""},"categories":[1519],"tags":[],"class_list":["post-9239","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-sanal-sunucu"],"_links":{"self":[{"href":"https:\/\/sunucun.com.tr\/blog\/wp-json\/wp\/v2\/posts\/9239","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/sunucun.com.tr\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/sunucun.com.tr\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/sunucun.com.tr\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/sunucun.com.tr\/blog\/wp-json\/wp\/v2\/comments?post=9239"}],"version-history":[{"count":1,"href":"https:\/\/sunucun.com.tr\/blog\/wp-json\/wp\/v2\/posts\/9239\/revisions"}],"predecessor-version":[{"id":21301,"href":"https:\/\/sunucun.com.tr\/blog\/wp-json\/wp\/v2\/posts\/9239\/revisions\/21301"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/sunucun.com.tr\/blog\/wp-json\/wp\/v2\/media\/9248"}],"wp:attachment":[{"href":"https:\/\/sunucun.com.tr\/blog\/wp-json\/wp\/v2\/media?parent=9239"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/sunucun.com.tr\/blog\/wp-json\/wp\/v2\/categories?post=9239"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/sunucun.com.tr\/blog\/wp-json\/wp\/v2\/tags?post=9239"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}