Thursday, 9 July 2026

What is fail2ban tool in linux ?

Fail2ban is a highly popular, open-source security tool in Linux that works hand-in-hand with your firewall (like UFW) and your SSH daemon (sshd) to protect your server from brute-force attacks. 

If your server has an open SSH port, automated bots across the internet will constantly attempt to guess your passwords. Fail2ban stops them automatically. 

How Fail2ban Works

  1. Log Monitoring: It constantly scans system log files (like /var/log/auth.log for SSH logins) looking for suspicious activity. 
  2. Detection: It counts automated patterns, such as multiple failed login attempts from the exact same IP address within a short time frame.
  3. Action (The "Ban"): Once an IP address hits a specified threshold (e.g., 5 failed attempts), Fail2ban automatically updates your firewall (UFW/iptables) rules to completely block that IP address for a set period of time. 

Essential Fail2ban Commands

For example, if you are working with Ubuntu, here are the most critical commands to install, manage, and monitor Fail2ban.

1. Installation & Service Management

Fail2ban does not come pre-installed on Ubuntu by default. You can install it using: 
sudo apt update
sudo apt install fail2ban -y
Once installed, manage its background service just like sshd: 
sudo systemctl status fail2ban    # Check if it's running
sudo systemctl restart fail2ban   # Restart after changing settings

2. Checking the Status (The Control Center)

Fail2ban organizes its protection rules into profiles called "Jails" (e.g., an sshd jail, an apache jail, etc.). You interact with them using the fail2ban-client command. 
  • See active protection modules (jails):
    sudo fail2ban-client status
    
  • See stats for a specific jail (e.g., SSH):
    This command shows you exactly how many times bots have tried to attack you, and lists the IP addresses currently locked out.
    sudo fail2ban-client status sshd
    

3. Banning and Unbanning IPs Manually

Sometimes you might accidentally lock yourself out of your own server by typing your password wrong too many times, or you might want to manually ban a malicious IP address. How to unban an IP address (Rescue yourself):
  • sudo fail2ban-client set sshd unbanip <IP_ADDRESS>
    
  • How to manually ban an IP address:
    sudo fail2ban-client set sshd banip <IP_ADDRESS>
    


How to Configure Fail2ban Securely

Never edit the default configuration file directly (/etc/fail2ban/jail.conf), because system updates will overwrite your changes. Instead, create a local copy: 
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Open that new file using a text editor like nano: 
sudo nano /etc/fail2ban/jail.local
Look for the [DEFAULT] section to adjust your core thresholds:
  • ignoreip: Add your home or office IP address here (separated by spaces) so Fail2ban never accidentally bans you.
  • bantime: How long an IP stays blocked (e.g., 10m for 10 minutes, or 1d for a whole day).
  • findtime: The time window for mistakes (e.g., if a user fails maxretry times within 10m, ban them).
  • maxretry: The number of failed attempts allowed before the ban triggers (usually set between 3 and 5).

What is sshd in linux/unix environment ?

In Linux & Networking: Secure Shell Daemon

In computer networks and Linux/Unix systems, sshd is a crucial background software program:
  • What it does: The letters stand for Secure Shell daemon (in Linux, a "daemon" is simply a background process).
  • How it works: It runs continuously on a server, listening for incoming network connections via the Secure Shell (SSH) Protocol.
  • Purpose: When you want to securely log into your server or transfer files from a remote location, sshd is the program that catches your request, handles user authentication, and encrypts the entire communication tunnel.

Managing the sshd Service

On modern Linux distributions (such as Ubuntu, Debian, CentOS, RHEL, and Fedora), you manage the background process using systemctl. You will need root or sudo privileges to run these.
  • Check the service status: See if the daemon is currently running, stopped, or experiencing errors.
  • sudo systemctl status sshd
  • Start the service: Turn the SSH server on
    • sudo systemctl start sshd
  • Stop the service: Turn the SSH server off (Warning: This will disconnect active remote sessions once they close and prevent new ones).

    • sudo systemctl stop sshd


  • Reload the service: Applies configuration changes without dropping active user connections (safer than a full restart).

    • sudo systemctl reload sshd

  • Enable on boot: Ensure that sshd automatically starts up whenever the server reboots.

    • sudo systemctl enable sshd

  • Disable on boot: Prevents the SSH server from launching automatically when the system starts.
                sudo systemctl disable sshd

Testing Configuration Files


Before you restart your SSH server after making changes, you should always test your configuration file for syntax errors. If there is a typo, the server won't start, and you could get locked out.

Test syntax: Run the daemon in test mode. If it returns no output, your configuration is valid.

                    sudo sshd -t

Extended test mode: Checks the validity of the configuration file, prints the effective configuration options, and then exits.

                    sudo sshd -T

Locating Important Files


While these aren't execution commands, these file paths are critical when working with sshd:
  • Main Configuration File: /etc/ssh/sshd_config (Where you change ports, disable root logins, or configure key authentication).
  • System Logs: /var/log/auth.log (Ubuntu/Debian) or /var/log/secure (RHEL/CentOS). You can view unauthorized access attempts here using:
               sudo tail -f /var/log/auth.log

Checking Active Connections


  •     If you want to see who is currently connected to your server via sshd, you can use network monitoring tools:
                ps aux | grep sshd
  • See active network connections on the SSH port (usually 22):
                sudo ss -tulpn | grep sshd