How to Install Fail2Ban on CentOS Stream 10: Step-by-Step Guide

Securing a Linux server is a critical responsibility for system administrators and IT operations engineers. One of the most common threats to public-facing servers is brute-force attacks, especially against services like SSH.
This is where Fail2Ban becomes an essential security tool.

Fail2Ban is an open-source intrusion prevention framework that monitors log files and automatically bans IP addresses showing malicious behavior. In this guide, you will learn how to install and configure Fail2Ban on CentOS Stream 10, including basic tuning and best practices for production environments.

What Is Fail2Ban and Why You Need It

Fail2Ban works by:

• Monitoring system and service logs
• Detecting repeated failed login attempts
• Automatically banning offending IP addresses using firewall rules

Key Benefits of Fail2Ban

• Protects SSH, FTP, web servers, and more
• Reduces brute-force attack risks
• Lightweight and easy to configure
• Highly customizable via filters and jails

For CentOS Stream 10 servers exposed to the internet, Fail2Ban is highly recommended as a first line of defense.

Prerequisites

Before installing Fail2Ban, make sure:

• You are running CentOS Stream 10
• You have root or sudo privileges
• Your system packages are up to date
• SSH service is enabled and running

Update your system:

sudo dnf update -y

Step 1: Enable Required Repositories

Fail2Ban is not always included in the default CentOS repositories. You need to enable EPEL (Extra Packages for Enterprise Linux).

Install EPEL repository:

sudo dnf install epel-release -y

Verify repository is enabled:

dnf repolist

Step 2: Install Fail2Ban on CentOS Stream 10

Once EPEL is enabled, install Fail2Ban using DNF:

sudo dnf install fail2ban -y

Check the installed version:

fail2ban-client --version

Step 3: Start and Enable Fail2Ban Service

Start the Fail2Ban service:

sudo systemctl start fail2ban

Enable Fail2Ban to start at boot:

sudo systemctl enable fail2ban

Verify service status:

sudo systemctl status fail2ban

You should see the service running without errors.

Step 4: Configure Fail2Ban Properly (Best Practice)

⚠️ Important:
Never modify jail.conf directly. Always use jail.local for custom configurations.

Create a local configuration file:

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Open the file:

sudo nano /etc/fail2ban/jail.local

Step 5: Configure SSH Protection

Find the [sshd] section and modify it as follows:

[sshd]
enabled = true
port = ssh
logpath = %(sshd_log)s
backend = systemd
maxretry = 5
bantime = 3600
findtime = 600

Explanation:

• maxretry: Number of failed attempts before ban
• findtime: Time window to count failures (in seconds)
• bantime: Duration of ban (in seconds)

Save and exit the editor.

Step 6: Restart Fail2Ban to Apply Changes

sudo systemctl restart fail2ban

Verify SSH jail status:

sudo fail2ban-client status sshd

Step 7: Check Banned IP Addresses

To list all active jails:

sudo fail2ban-client status

To view banned IPs for SSH:

sudo fail2ban-client status sshd

Step 8: Manually Unban an IP Address (Optional)

If a legitimate IP gets blocked, you can unban it manually:

sudo fail2ban-client set sshd unbanip 192.168.1.100

Step 9: Firewall Integration (firewalld)

CentOS Stream 10 uses firewalld by default. Fail2Ban integrates automatically, but you can verify:

sudo firewall-cmd --list-all

Fail2Ban dynamically creates rules under f2b-* zones.

Step 10: Enable Email Notifications (Optional)

To receive alerts when an IP is banned, edit jail.local:

destemail = admin@example.com
sender = fail2ban@yourdomain.com
mta = sendmail
action = %(action_mwl)s

Make sure a mail service (Postfix or Sendmail) is installed and configured.

Common Fail2Ban Commands Cheat Sheet

fail2ban-client status
fail2ban-client status sshd
systemctl restart fail2ban
journalctl -u fail2ban

Security Best Practices with Fail2Ban

• Change SSH default port
• Disable root login via SSH
• Use SSH key-based authentication
• Combine Fail2Ban with firewall rules
• Monitor logs regularly

Fail2Ban works best as part of a layered security approach, not as a single solution.

Troubleshooting Tips

Fail2Ban not banning IPs?

• Check log path configuration
• Verify backend is set to systemd
• Inspect logs:

sudo journalctl -u fail2ban -xe

SSH jail not active?

• Confirm SSH service name
• Check /var/log/secure or systemd journal
• Restart Fail2Ban after changes

Conclusion

Installing Fail2Ban on CentOS Stream 10 is a simple yet powerful step to enhance your server security. With proper configuration, Fail2Ban can automatically block malicious IP addresses and significantly reduce the risk of brute-force attacks.

For IT Operations and production environments, Fail2Ban is a must-have security layer that complements firewalls and secure SSH configurations.