Back to Blog

Fail2ban: Protect Your Homelab from Brute Force Attacks

Secure your exposed services with Fail2ban. Learn to block brute force attacks, configure jails, and monitor intrusion attempts.

Posted by

Security protection concept

The Constant Attack

The moment you expose any service to the internet, the attacks begin. Bots constantly scan for SSH, attempt password guessing, and probe for vulnerabilities. Fail2ban is your automated defender.

How Fail2ban Works

  • Monitors log files for suspicious patterns
  • Counts failed authentication attempts
  • Bans IP addresses that exceed thresholds
  • Automatically unbans after configured time

Installation

# Ubuntu/Debian
sudo apt update
sudo apt install fail2ban

# Start and enable
sudo systemctl start fail2ban
sudo systemctl enable fail2ban

Basic Configuration

Create a local configuration file (never edit the default):

# /etc/fail2ban/jail.local

[DEFAULT]
bantime = 1h
findtime = 10m
maxretry = 5
banaction = iptables-multiport

# Enable email notifications (optional)
destemail = [email protected]
sender = [email protected]
action = %(action_mwl)s

[sshd]
enabled = true
port = ssh
logpath = %(sshd_log)s
maxretry = 3

Protecting Docker Services

For Docker containers, you need to use iptables with the DOCKER-USER chain:

# /etc/fail2ban/action.d/docker-action.conf

[Definition]
actionstart = iptables -N f2b-<name>
              iptables -A f2b-<name> -j RETURN
              iptables -I DOCKER-USER -j f2b-<name>

actionstop = iptables -D DOCKER-USER -j f2b-<name>
             iptables -F f2b-<name>
             iptables -X f2b-<name>

actionban = iptables -I f2b-<name> 1 -s <ip> -j DROP

actionunban = iptables -D f2b-<name> -s <ip> -j DROP

Common Jails

# Vaultwarden
[vaultwarden]
enabled = true
port = http,https
filter = vaultwarden
logpath = /path/to/vaultwarden/vaultwarden.log
maxretry = 3
bantime = 24h

# Nextcloud
[nextcloud]
enabled = true
port = http,https
filter = nextcloud
logpath = /path/to/nextcloud/data/nextcloud.log
maxretry = 3

# Traefik (optional)
[traefik-auth]
enabled = true
port = http,https
filter = traefik-auth
logpath = /path/to/traefik/access.log
maxretry = 5

Useful Commands

# Check status of all jails
sudo fail2ban-client status

# Check specific jail
sudo fail2ban-client status sshd

# Manually ban an IP
sudo fail2ban-client set sshd banip 1.2.3.4

# Manually unban an IP
sudo fail2ban-client set sshd unbanip 1.2.3.4

# View banned IPs
sudo fail2ban-client get sshd banned

# Test a filter against a log
fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/sshd.conf

Monitoring Attacks

Check your logs to see what Fail2ban is catching:

# View fail2ban log
sudo tail -f /var/log/fail2ban.log

# Count bans by jail
grep "Ban" /var/log/fail2ban.log | awk '{print $6}' | sort | uniq -c

Best Practices

  • Whitelist your IP: Add your home IP to ignoreip to prevent lockouts
  • Start conservative: Short ban times initially, increase as needed
  • Monitor logs: Check regularly for attack patterns
  • Combine with other security: Fail2ban is one layer, not the only layer
  • Use strong passwords: Fail2ban slows attacks, doesn't prevent them

Your Automated Guard

Fail2ban works quietly in the background, banning attackers before they can guess your passwords. It's a must-have for any homelab exposed to the internet.

Continue Reading