How to Install Fail2Ban on CentOS Stream 10 (2026 Guide)

How to install Fail2Ban on CentOS Stream 10 - step-by-step guide

Securing a Linux server is a critical responsibility for every system administrator and DevOps engineer. Among the most persistent threats targeting public-facing servers is brute-force attacks β€” automated bots that repeatedly attempt to guess passwords on exposed services like SSH, FTP, and web applications. Left unchecked, these attacks can lead to unauthorized access, data breaches, and compromised infrastructure.

Fail2Ban is a lightweight, open-source intrusion prevention framework designed to address exactly this threat. It monitors log files in real time, detects patterns of failed authentication attempts, and automatically blocks offending IP addresses using your system’s firewall rules β€” with no manual intervention required.

In this guide, you will learn how to install and configure Fail2Ban on CentOS Stream 10, step by step. We cover everything from enabling the EPEL repository and installing the package, to tuning SSH jail settings, verifying banned IPs, and integrating with firewalld. Whether you are setting up a fresh server or hardening an existing production environment, this guide gives you a working Fail2Ban setup in under 15 minutes.

Related guides on bckinfo.com:

What Is Fail2Ban and Why You Need It

Fail2Ban is an intrusion prevention system (IPS) written in Python. It works by:

  1. Monitoring system and application log files (e.g., /var/log/secure, systemd journal)
  2. Detecting repeated failed login attempts that match configurable patterns (called filters)
  3. Blocking the offending IP address automatically via firewall rules (iptables, nftables, or firewalld)
  4. Unbanning the IP automatically after a configurable timeout period

Key Benefits of Using Fail2Ban

Key BenefitDescription
SSH ProtectionAutomatically detects and blocks IP addresses that repeatedly fail SSH authentication attempts, reducing the risk of brute-force attacks.
Multi-Service SupportProtects a wide range of services, including SSH, FTP, Apache, Nginx, Postfix, Dovecot, and other network-facing applications.
Firewall IntegrationWorks seamlessly with firewalld, iptables, nftables, and other firewall technologies to enforce temporary or permanent bans.
Low Resource UsageRuns efficiently with a very small CPU and memory footprint, making it suitable for servers of all sizes.
Flexible ConfigurationProvides extensive customization options, including login retry thresholds, ban duration, whitelist settings, email alerts, and automated actions.

For CentOS Stream 10 servers exposed to the internet, Fail2Ban is strongly recommended as a first line of defense against automated brute-force attempts.

Prerequisites

Before you begin, make sure the following conditions are met:

  • You are running CentOS Stream 10 (verify with cat /etc/os-release)
  • You have root or sudo access
  • SSH is active and running (systemctl status sshd)
  • Your system packages are up to date

Update your system before starting:

sudo dnf update -y

Step 1: Enable the EPEL Repository

Fail2Ban is not included in CentOS Stream 10’s default repositories. You need to enable EPEL (Extra Packages for Enterprise Linux) first.

sudo dnf install epel-release -y

Verify the repository is active:

dnf repolist

You should see epel listed in the output. If it does not appear, run sudo dnf repolist all | grep epel to troubleshoot.

Step 2: Install Fail2Ban on CentOS Stream 10

With EPEL enabled, install Fail2Ban using the DNF package manager:

sudo dnf install fail2ban -y

After installation, confirm the version:

fail2ban-client --version

Expected output (version may vary):

Fail2Ban v1.1.x

Step 3: Start and Enable the Fail2Ban Service

Start the service immediately:

sudo systemctl start fail2ban

Enable it to start automatically on every boot:

sudo systemctl enable fail2ban

Verify the service is running:

sudo systemctl status fail2ban

Look for Active: active (running) in the output. If the service fails to start, check logs with sudo journalctl -u fail2ban -xe.

Step 4: Create a Local Configuration File (Best Practice)

⚠️ Important: Never edit /etc/fail2ban/jail.conf directly. This file is overwritten during package updates. Always use jail.local for custom configurations.

Create your local override file:

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Open the file for editing:

sudo nano /etc/fail2ban/jail.local

The jail.local file takes precedence over jail.conf for any settings you define there.

Step 5: Configure SSH Protection (jail.local)

Locate the [sshd] section in jail.local and configure it as follows:

[sshd]
enabled = true
port    = ssh
logpath = %(sshd_log)s
backend = systemd
maxretry = 5
bantime  = 3600
findtime = 600

Parameter Reference Table

ParameterValueMeaning
enabledtrueActivates this jail
portsshMonitors the default SSH port (22)
logpath%(sshd_log)sUses the system SSH log path
backendsystemdReads logs from systemd journal
maxretry5Ban after 5 failed attempts
findtime600Count failures within a 10-minute window
bantime3600Ban duration: 1 hour (3600 seconds)

Tuning tips:

  • For stricter security, reduce maxretry to 3 and increase bantime to 86400 (24 hours)
  • If you are using a non-standard SSH port, replace ssh with the actual port number (e.g., port = 2222)

Save and close the file (Ctrl+X, then Y, then Enter in nano).

Step 6: Restart Fail2Ban to Apply Changes

sudo systemctl restart fail2ban

Verify the SSH jail is active:

sudo fail2ban-client status sshd

Sample output:

Status for the jail: sshd
|- Filter
|  |- Currently failed:    2
|  |- Total failed:    14
|  `- Journal matches:  _SYSTEMD_UNIT=sshd.service + _COMM=sshd
`- Actions
   |- Currently banned:    1
   |- Total banned:    3
   `- Banned IP list:    203.0.113.45

Step 7: View All Active Jails and Banned IPs

List all active jails:

sudo fail2ban-client status

View banned IPs for SSH specifically:

sudo fail2ban-client status sshd

To view Fail2Ban logs directly:

sudo tail -f /var/log/fail2ban.log

Step 8: Manually Unban an IP Address

If a legitimate user or internal system gets blocked, unban it manually:

sudo fail2ban-client set sshd unbanip 192.168.1.100

Replace 192.168.1.100 with the actual IP address. This takes effect immediately without a service restart.

Step 9: Verify Firewalld Integration

CentOS Stream 10 uses firewalld as the default firewall. Fail2Ban integrates with it automatically by creating dynamic rules under the f2b-* chain.

Verify active firewall rules:

sudo firewall-cmd --list-all

To inspect the Fail2Ban-specific chains:

sudo iptables -L f2b-sshd -n --line-numbers

You should see REJECT or DROP rules for banned IP addresses.

Step 10: Enable Email Notifications (Optional)

To receive email alerts when an IP is banned, edit the global section of jail.local:

destemail = admin@yourdomain.com
sender    = fail2ban@yourdomain.com
mta       = sendmail
action    = %(action_mwl)s

Note: A working mail server (Postfix or Sendmail) must be installed and configured before this will function. Use action_mwl to receive the offending log lines with each ban notification.

Fail2Ban Command Cheat Sheet

CommandDescription
sudo fail2ban-client statusDisplays all active Fail2Ban jails currently protecting services on the server.
sudo fail2ban-client status sshdShows detailed information about the SSH jail, including the number of failed attempts and banned IP addresses.
sudo fail2ban-client set sshd unbanip <IP>Removes a specific IP address from the SSH jail ban list.
sudo systemctl restart fail2banRestarts the Fail2Ban service and reloads the latest configuration changes.
sudo journalctl -u fail2banDisplays service logs collected by systemd for troubleshooting and auditing purposes.
sudo tail -f /var/log/fail2ban.logProvides real-time monitoring of Fail2Ban events, including detected attacks and IP bans.

Security Best Practices

Fail2Ban is effective, but it works best as one layer in a broader security stack. Pair it with:

  • Change the default SSH port β€” reduces exposure to automated scanners
  • Disable root login via SSH β€” set PermitRootLogin no in /etc/ssh/sshd_config
  • Use SSH key-based authentication β€” disable password login entirely
  • Configure firewalld to allow only necessary ports
  • Enable SELinux β€” CentOS Stream 10 ships with SELinux in enforcing mode; keep it enabled
  • Monitor logs regularly using tools like Nagios or Monitorix

Troubleshooting Common Issues

Fail2Ban is not banning IPs

  • Verify logpath is pointing to the correct log file
  • Confirm backend = systemd is set for systems using systemd journal
  • Check for errors:
  sudo journalctl -u fail2ban -xe

SSH jail is not active after restart

  • Confirm the SSH service name matches the jail name (sshd vs ssh)
  • Check /var/log/secure or journal:
  sudo journalctl -u sshd | tail -50
  • Restart Fail2Ban after every configuration change

Fail2Ban service fails to start

  • Validate your jail.local syntax:
  sudo fail2ban-client -t

This tests the configuration without applying changes.

Frequently Asked Questions

Q: Does Fail2Ban work with SSH keys?
Yes. Even with SSH key authentication enabled, Fail2Ban still monitors for failed attempts (e.g., from bots testing invalid keys or wrong usernames) and bans the source IPs accordingly.

Q: What is the difference between bantime, findtime, and maxretry?
findtime is the observation window in seconds. maxretry is the number of failures allowed within that window before a ban is triggered. bantime is how long the IP stays banned.

Q: Can I use Fail2Ban to protect services other than SSH?
Yes. Fail2Ban ships with pre-built filters for Apache, Nginx, Postfix, ProFTPD, and dozens of other services. Enable additional jails in jail.local as needed.

Q: How do I permanently ban an IP address?
Set bantime = -1 in the relevant jail. A negative value means the ban never expires. Use this cautiously for known malicious IPs.

Q: Does Fail2Ban replace a firewall?
No. Fail2Ban works with your firewall (firewalld/iptables), not instead of it. It dynamically adds rules to the firewall based on log analysis.

Conclusion

Installing Fail2Ban on CentOS Stream 10 is a quick, low-effort step that significantly improves your server’s resistance to brute-force attacks. With the configuration covered in this guide, your SSH service is now protected by automated IP banning, firewalld integration, and configurable retry thresholds.

For production environments, combine Fail2Ban with SSH hardening, key-based authentication, and regular log monitoring to build a robust, layered security posture.

(Visited 53 times, 1 visits today)

You may also like