Fail2ban SSH Protection on RHEL9: Installation and Configuration Guide #
Fail2ban is an essential security tool that helps protect your Linux server from brute force attacks and automated bot spam targeting SSH and other services. By monitoring log files and automatically banning IP addresses that show signs of malicious activity, fail2ban acts as an intrusion prevention system that significantly enhances your server’s security posture.
Installation #
# Install fail2ban and firewalld integration
dnf install fail2ban fail2ban-firewalld
# Enable and start the service
systemctl enable fail2ban --now
Basic Configuration #
1. Create Local Configuration Files #
Never edit the default configuration files directly. Instead, create local copies that won’t be overwritten during updates:
# Create local jail configuration
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
# For firewalld systems, rename the firewalld configuration
mv /etc/fail2ban/jail.d/00-firewalld.conf /etc/fail2ban/jail.d/00-firewalld.local
2. Configure Global Settings #
Edit the main configuration file:
vim /etc/fail2ban/jail.local
Key settings to modify in the [DEFAULT] section:
# Ban duration
bantime = 6h
# Time window to count failures
findtime = 1h
# Number of failures before ban
maxretry = 5
# Ignore local/trusted IPs (add your management IPs here)
ignoreip = 127.0.0.1/8 ::1 192.168.1.0/24
# Backend for log monitoring
backend = auto
3. Configure Firewalld Integration #
If using firewalld (default on RHEL-based systems), ensure the firewalld action is set in /etc/fail2ban/jail.d/00-firewalld.local:
[DEFAULT]
banaction = firewallcmd-rich-rules[actiontype=<multiport>]
banaction_allports = firewallcmd-rich-rules[actiontype=<allports>]
4. Configure SSH-Specific Settings #
Create a dedicated SSH jail configuration:
vim /etc/fail2ban/jail.d/sshd.local
Add the following configuration:
[sshd]
enabled = true
# Override the default global configuration
# for specific jail sshd
bantime = 1d
maxretry = 5
Starting and Testing Fail2ban #
1. Restart the Service #
systemctl restart fail2ban
2. Verify Configuration #
Check that fail2ban is running and the SSH jail is active:
# Check service status
systemctl status fail2ban
# List active jails
fail2ban-client status
# Check SSH jail specifically
fail2ban-client status sshd
# Verify SSH jail settings
fail2ban-client get sshd maxretry
fail2ban-client get sshd bantime
fail2ban-client get sshd findtime
3. Check Firewall Rules #
Verify that fail2ban is creating firewall rules to block banned IPs:
# List all firewalld rich rules created by fail2ban
firewall-cmd --list-rich-rules
When fail2ban has banned IPs, you’ll see rich rules like this:
[user@test ~]$ firewall-cmd --list-rich-rules
rule family="ipv4" source address="103.23.199.119" port port="ssh" protocol="tcp" reject type="icmp-port-unreachable"
rule family="ipv4" source address="78.159.98.70" port port="ssh" protocol="tcp" reject type="icmp-port-unreachable"
rule family="ipv4" source address="213.55.85.202" port port="ssh" protocol="tcp" reject type="icmp-port-unreachable"
rule family="ipv4" source address="193.24.211.3" port port="ssh" protocol="tcp" reject type="icmp-port-unreachable"
rule family="ipv4" source address="178.185.136.57" port port="ssh" protocol="tcp" reject type="icmp-port-unreachable"
rule family="ipv4" source address="45.159.113.249" port port="ssh" protocol="tcp" reject type="icmp-port-unreachable"
rule family="ipv4" source address="103.114.246.37" port port="ssh" protocol="tcp" reject type="icmp-port-unreachable"
...
Each rule represents a banned IP address that fail2ban has automatically blocked from accessing SSH. The reject type="icmp-port-unreachable" response helps mask your server’s presence from attackers.
Conclusion #
Fail2ban is an essential component of a comprehensive server security strategy. By automatically blocking IP addresses that exhibit suspicious behavior, it significantly reduces the risk of successful brute force attacks against your SSH service.