Fail2ban: Protect Your Homelab from Brute Force Attacks
Secure your exposed services with Fail2ban. Learn to block brute force attacks, configure jails, and monitor intrusion attempts.
Posted by
Related reading
Homelab Documentation: Wiki.js vs BookStack for Self-Hosted Wikis
Document your homelab setup with self-hosted wikis. Compare Wiki.js and BookStack for creating searchable documentation of your infrastructure and procedures.
Docker Security Scanning: Trivy and Dockle for Safe Containers
Scan your Docker images for vulnerabilities before deploying. Learn to use Trivy and Dockle to secure your self-hosted homelab container infrastructure.
Docker Compose Reverse Proxy: Traefik vs Nginx Proxy Manager
Set up a reverse proxy for your homelab. Compare Traefik and Nginx Proxy Manager for automatic SSL, domain routing, and secure access to self-hosted services.

The Constant Attack
The moment you expose any service to the internet, the attacks begin. Bots constantly scan for SSH, attempt password guessing, and probe for vulnerabilities. Fail2ban is your automated defender.
How Fail2ban Works
- Monitors log files for suspicious patterns
- Counts failed authentication attempts
- Bans IP addresses that exceed thresholds
- Automatically unbans after configured time
Installation
# Ubuntu/Debian sudo apt update sudo apt install fail2ban # Start and enable sudo systemctl start fail2ban sudo systemctl enable fail2ban
Basic Configuration
Create a local configuration file (never edit the default):
# /etc/fail2ban/jail.local [DEFAULT] bantime = 1h findtime = 10m maxretry = 5 banaction = iptables-multiport # Enable email notifications (optional) destemail = [email protected] sender = [email protected] action = %(action_mwl)s [sshd] enabled = true port = ssh logpath = %(sshd_log)s maxretry = 3
Protecting Docker Services
For Docker containers, you need to use iptables with the DOCKER-USER chain:
# /etc/fail2ban/action.d/docker-action.conf
[Definition]
actionstart = iptables -N f2b-<name>
iptables -A f2b-<name> -j RETURN
iptables -I DOCKER-USER -j f2b-<name>
actionstop = iptables -D DOCKER-USER -j f2b-<name>
iptables -F f2b-<name>
iptables -X f2b-<name>
actionban = iptables -I f2b-<name> 1 -s <ip> -j DROP
actionunban = iptables -D f2b-<name> -s <ip> -j DROPCommon Jails
# Vaultwarden [vaultwarden] enabled = true port = http,https filter = vaultwarden logpath = /path/to/vaultwarden/vaultwarden.log maxretry = 3 bantime = 24h # Nextcloud [nextcloud] enabled = true port = http,https filter = nextcloud logpath = /path/to/nextcloud/data/nextcloud.log maxretry = 3 # Traefik (optional) [traefik-auth] enabled = true port = http,https filter = traefik-auth logpath = /path/to/traefik/access.log maxretry = 5
Useful Commands
# Check status of all jails sudo fail2ban-client status # Check specific jail sudo fail2ban-client status sshd # Manually ban an IP sudo fail2ban-client set sshd banip 1.2.3.4 # Manually unban an IP sudo fail2ban-client set sshd unbanip 1.2.3.4 # View banned IPs sudo fail2ban-client get sshd banned # Test a filter against a log fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/sshd.conf
Monitoring Attacks
Check your logs to see what Fail2ban is catching:
# View fail2ban log
sudo tail -f /var/log/fail2ban.log
# Count bans by jail
grep "Ban" /var/log/fail2ban.log | awk '{print $6}' | sort | uniq -cBest Practices
- Whitelist your IP: Add your home IP to ignoreip to prevent lockouts
- Start conservative: Short ban times initially, increase as needed
- Monitor logs: Check regularly for attack patterns
- Combine with other security: Fail2ban is one layer, not the only layer
- Use strong passwords: Fail2ban slows attacks, doesn't prevent them
Your Automated Guard
Fail2ban works quietly in the background, banning attackers before they can guess your passwords. It's a must-have for any homelab exposed to the internet.
