How To Install Fail2Ban on Rocky Linux 10

In this tutorial, we will show you how to install Fail2Ban on Rocky Linux 10. Server security remains a critical concern for system administrators managing Linux infrastructure. Brute force attacks targeting SSH services pose significant threats to server integrity, making intrusion prevention systems essential components of any robust security strategy. Fail2Ban emerges as one of the most effective solutions for protecting Rocky Linux 10 servers against malicious login attempts and unauthorized access.

This comprehensive guide walks you through the complete installation and configuration process of Fail2Ban on Rocky Linux 10. Whether you’re securing a production server or hardening a development environment, implementing Fail2Ban provides an additional layer of protection that automatically blocks suspicious IP addresses based on predefined criteria.

By following this tutorial, you’ll establish a powerful defense mechanism that monitors log files, detects failed authentication attempts, and automatically implements firewall rules to ban offending IP addresses. The integration with Rocky Linux 10’s native firewalld service ensures seamless operation while maintaining system performance and reliability.

Understanding Fail2Ban

Fail2Ban operates as a sophisticated intrusion prevention framework designed specifically for Linux systems. The software continuously monitors system logs, particularly authentication logs, searching for patterns that indicate malicious activity or brute force attacks.

The architecture consists of several key components working in harmony. The main daemon service runs continuously in the background, analyzing log entries through configurable filters that define what constitutes suspicious behavior. When predetermined thresholds are exceeded, Fail2Ban triggers actions that typically involve blocking the offending IP address through firewall manipulation.

Core Components Explained:

• Jails: Configuration containers that define protection rules for specific services
• Filters: Pattern matching rules that identify suspicious log entries
• Actions: Response mechanisms executed when violations occur
• Backends: Log monitoring methods used to track file changes

The integration with firewalld on Rocky Linux 10 represents a significant advantage over traditional iptables-based configurations. This modern approach ensures better compatibility with contemporary Linux distributions while providing enhanced security features and easier management capabilities.

Prerequisites and System Requirements

Before beginning the Fail2Ban installation process, ensure your Rocky Linux 10 system meets the necessary requirements and has essential services properly configured.

Essential System Requirements:

• Rocky Linux 10 server with administrative access
• Active internet connection for package downloads
• Firewalld service installed and operational
• Basic command-line interface familiarity
• SSH service running (for testing purposes)

Recommended Setup:

Access to a secondary system proves invaluable for testing ban functionality without accidentally locking yourself out of the primary server. This testing environment allows safe verification of Fail2Ban operations and configuration adjustments.

Understanding fundamental Linux service management concepts enhances your ability to troubleshoot potential issues and optimize configurations according to specific security requirements.

Step 1: Preparing the System Environment

System preparation involves ensuring firewalld operates correctly and all packages remain current. Rocky Linux 10 typically includes firewalld by default, but verification prevents configuration conflicts later in the process.

Starting and Enabling Firewalld:

sudo systemctl start firewalld
sudo systemctl enable firewalld
sudo systemctl status firewalld

The status command output should display “active (running)” indicating proper service operation. If firewalld appears inactive, the start command activates it immediately while the enable command ensures automatic startup during system boot.

Verifying Current Firewall Configuration:

sudo firewall-cmd --list-all
sudo firewall-cmd --get-active-zones

These commands display current firewall rules and active zones, providing baseline information for later comparison after Fail2Ban installation. Understanding existing configurations helps identify potential conflicts and ensures proper integration.

Updating System Packages:

sudo dnf update -y
sudo dnf clean all

Maintaining current package versions ensures compatibility and incorporates latest security patches. The clean command removes cached package data, freeing disk space and preventing potential repository conflicts.

Step 2: Installing EPEL Repository

The Extra Packages for Enterprise Linux (EPEL) repository contains Fail2Ban packages not included in Rocky Linux 10’s default repositories. Installing EPEL expands available software options while maintaining compatibility with the base system.

Installing EPEL Repository:

sudo dnf install epel-release -y
sudo dnf repolist

The repolist command confirms successful EPEL installation by displaying all configured repositories. Look for entries containing “epel” to verify proper configuration.

Verifying EPEL Configuration:

sudo dnf search fail2ban

This search command should return Fail2Ban package listings if EPEL installation succeeded. Multiple package versions may appear, including the main fail2ban package and firewalld integration components.

Repository priorities ensure system stability by preventing conflicts between EPEL packages and base system components. Rocky Linux 10 automatically manages these priorities, but understanding the hierarchy helps troubleshoot potential issues.

Step 3: Installing Fail2Ban Package

With EPEL configured, proceed with installing Fail2Ban and its firewalld integration components. The installation process includes multiple packages ensuring complete functionality.

Installing Core Packages:

sudo dnf install fail2ban fail2ban-firewalld -y

The fail2ban-firewalld package provides essential integration between Fail2Ban and Rocky Linux 10’s native firewall management system. This integration enables seamless rule creation and IP address blocking without manual firewall configuration.

Starting and Enabling Services:

sudo systemctl start fail2ban
sudo systemctl enable fail2ban
sudo systemctl status fail2ban

Service status verification ensures proper installation and identifies potential startup issues. The output should indicate “active (running)” status with recent log entries showing successful initialization.

Verifying Installation:

fail2ban-client --version
fail2ban-client ping

Version information confirms successful installation while the ping command tests basic daemon communication. Both commands should return appropriate responses without error messages.

The installation process creates essential directories and configuration files in /etc/fail2ban/. Understanding this structure facilitates future customization and troubleshooting efforts.

Step 4: Basic Fail2Ban Configuration

Proper configuration represents the most critical aspect of Fail2Ban implementation. The default configuration files require customization to match specific security requirements and system characteristics.

Creating Local Configuration Files:

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo cp /etc/fail2ban/fail2ban.conf /etc/fail2ban/fail2ban.local

Copying configuration files to .local versions prevents updates from overwriting custom settings. The system prioritizes local files over default configurations, ensuring persistent customization.

Configuring Basic Parameters:

sudo nano /etc/fail2ban/jail.local

Locate the [DEFAULT] section and configure essential parameters:

[DEFAULT]
bantime = 1h
findtime = 1h
maxretry = 5
backend = systemd

Parameter Explanations:

• bantime: Duration IP addresses remain blocked (1 hour = 3600 seconds)
• findtime: Time window for counting failed attempts
• maxretry: Maximum failed attempts before triggering a ban
• backend: Log monitoring method (systemd for Rocky Linux 10)

Configuring Firewalld Integration:

sudo mv /etc/fail2ban/jail.d/00-firewalld.conf /etc/fail2ban/jail.d/00-firewalld.local

This command activates firewalld integration by converting the default configuration to a local override. The integration ensures Fail2Ban can create and manage firewall rules automatically.

Whitelisting Trusted IP Addresses:

Add trusted IP addresses to prevent accidental blocking:

[DEFAULT]
ignoreip = 127.0.0.1/8 ::1 192.168.1.0/24

Replace the example network ranges with your actual trusted networks, including management workstations and monitoring systems.

Step 5: Creating SSH Protection Jail

SSH represents the most common attack vector for Linux servers, making dedicated protection essential. Creating a specific SSH jail provides targeted security with customizable parameters.

Creating SSH Jail Configuration:

sudo nano /etc/fail2ban/jail.d/sshd.local

SSH Jail Configuration:

[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/secure
maxretry = 3
bantime = 1d
findtime = 1h
backend = systemd

Advanced SSH Configuration Options:

[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/secure
maxretry = 3
bantime = 1d
findtime = 1h
backend = systemd
# Send email notifications
action = %(action_mwl)s
# Custom ban message
fail2ban_agent = Fail2Ban/%(fail2ban_version)s

The configuration creates a dedicated jail monitoring SSH login attempts. Failed authentication attempts exceeding the maxretry threshold within the findtime window trigger a 24-hour ban.

Restarting Services:

sudo systemctl restart fail2ban
sudo systemctl status fail2ban

Service restart applies new configurations while status verification ensures proper operation. Error messages during restart indicate configuration problems requiring investigation.

Step 6: Testing and Verification

Thorough testing validates Fail2Ban functionality and ensures proper integration with system components. Testing procedures help identify configuration issues before deploying to production environments.

Monitoring Service Status:

sudo fail2ban-client status
sudo fail2ban-client status sshd

These commands display active jails and their current statistics. The output includes information about banned IP addresses, failed attempts, and filter status.

Testing SSH Protection:

From a secondary system, attempt SSH connections with incorrect credentials:

ssh wronguser@your-server-ip

After three failed attempts, the connecting IP address should be automatically banned. Monitor the process using:

sudo tail -f /var/log/fail2ban.log

Verifying Firewall Rules:

sudo firewall-cmd --list-all
sudo iptables -L -n

Banned IP addresses appear in firewall rules, confirming proper integration between Fail2Ban and firewalld. The rules show specific addresses blocked by Fail2Ban actions.

Manual IP Management:

sudo fail2ban-client unban 192.168.1.100
sudo fail2ban-client set sshd banip 192.168.1.200

Manual unbanning proves useful for testing purposes or correcting accidental blocks. The banip command allows manual IP address blocking without waiting for automated triggers.

Advanced Configuration Options

Extended configuration options provide enhanced security coverage and customization capabilities for complex environments. Advanced setups often include multiple service protections and custom filtering rules.

Web Server Protection:

sudo nano /etc/fail2ban/jail.d/apache.local

Apache/Nginx Jail Configuration:

[apache-auth]
enabled = true
port = http,https
filter = apache-auth
logpath = /var/log/httpd/error_log
maxretry = 3
bantime = 1d

[nginx-http-auth]
enabled = true
port = http,https
filter = nginx-http-auth
logpath = /var/log/nginx/error.log
maxretry = 3
bantime = 1d

Custom Filter Creation:

Create custom filters for application-specific threats:

sudo nano /etc/fail2ban/filter.d/custom-app.conf

Custom Filter Example:

[Definition]
failregex = ^<HOST> .* "POST /login" 401
ignoreregex =

Email Notification Configuration:

[DEFAULT]
destemail = admin@yourdomain.com
sendername = Fail2Ban-Server
mta = sendmail
action = %(action_mwl)s

Email notifications provide real-time alerts about security events, enabling rapid response to persistent threats.

Monitoring and Management

Effective Fail2Ban management requires ongoing monitoring and maintenance procedures. Regular monitoring identifies trends and potential security issues requiring attention.

Log Analysis Commands:

sudo tail -f /var/log/fail2ban.log
sudo journalctl -u fail2ban -f
sudo fail2ban-client status --all

Daily Monitoring Scripts:

Create automated monitoring scripts for regular status checks:

#!/bin/bash
echo "Fail2Ban Status Report - $(date)"
fail2ban-client status
echo "Currently Banned IPs:"
fail2ban-client banned

Performance Monitoring:

sudo fail2ban-client get sshd actions
sudo fail2ban-client get sshd filters

These commands display detailed jail information including action history and filter statistics. Regular monitoring helps optimize configurations for better performance.

Configuration Backup:

sudo tar -czf fail2ban-backup-$(date +%Y%m%d).tar.gz /etc/fail2ban/

Regular configuration backups enable quick recovery from configuration errors or system failures.

Troubleshooting Common Issues

Common Fail2Ban issues typically involve configuration errors, log file permissions, or service integration problems. Understanding troubleshooting procedures reduces downtime and improves system reliability.

Service Startup Failures:

sudo systemctl restart fail2ban
sudo journalctl -u fail2ban --no-pager -l

Service logs provide detailed error information for diagnosing startup failures. Common issues include configuration syntax errors and missing dependencies.

Configuration Validation:

sudo fail2ban-client -t

The test parameter validates configuration files without starting services. This command identifies syntax errors and missing components before applying changes.

Log File Permission Issues:

sudo chown root:root /var/log/secure
sudo chmod 644 /var/log/secure

Proper log file permissions ensure Fail2Ban can monitor authentication attempts. Permission issues prevent effective monitoring and reduce security effectiveness.

Firewall Integration Problems:

sudo systemctl status firewalld
sudo fail2ban-client reload

Firewall service problems affect Fail2Ban’s ability to block IP addresses. Ensuring firewalld operates correctly resolves most integration issues.

Security Best Practices and Optimization

Implementing Fail2Ban effectively requires following established security practices and optimizing configurations for specific environments. Best practices enhance security while maintaining system usability.

Recommended Configuration Values:

• Production servers: bantime = 1d, maxretry = 3
• Development environments: bantime = 1h, maxretry = 5
• High-security environments: bantime = 7d, maxretry = 1

Complementary Security Measures:

• SSH key-based authentication
• Non-standard SSH ports
• Regular security updates
• Intrusion detection systems
• Network segmentation

Performance Optimization:

[DEFAULT]
backend = systemd
usedns = warn
logencoding = auto

These settings optimize Fail2Ban performance by using efficient backends and reducing unnecessary DNS lookups.

Regular Maintenance Tasks:

• Weekly log rotation and cleanup
• Monthly configuration reviews
• Quarterly security assessments
• Annual policy updates

Congratulations! You have successfully installed Fail2Ban. Thanks for using this tutorial for installing Fail2Ban on your Rocky Linux 10 system. For additional help or useful information, we recommend you check the official Fail2Ban website.