Fail2Ban is a powerful and flexible tool for protecting Linux-based servers from brute force attacks, especially when trying to find a password for SSH, FTP, SMTP, web applications, or even the Squid proxy server. Setting up Fail2Ban allows you to automatically block IP addresses that commit suspicious activity, reducing the risk of hacking.
With it, you can implement password brute force protection, secure SSH, and even apply it to non—standard services - on Ubuntu, Debian, CentOS, or other systems. Fail2Ban versions for Windows are also available, and if desired, you can integrate it with iptables or other traffic control tools.
Using the example of Ubuntu 22.04 and Debian:
sudo apt install fail2ban
One of the most popular use cases is fail2ban to protect SSH from brute force passwords.
Copy the configuration file:
Open it:
Find and edit the [sshd] section:
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 5
bantime = 3600
By default, there is no Squid filter in Fail2Ban, but it can be easily added manually. This is especially useful for systems where Squid is used as a caching proxy or for traffic management (for example, mikrotik + fail2ban via proxy).
Add the following to the file:
failregex = ^.*squid.TCP_DENIED.
ignoreregex =
To the end of the file:
enabled = true
filter = squid
logpath = /var/log/squid/access.log
maxretry = 5
bantime = 3600
findtime = 600
Make sure that the path to access.log is correct:
sudo systemctl restart fail2ban
If the configuration is correct, Fail2Ban will start tracking failed connection attempts via Squid and automatically block the IP.
Thus, Fail2Ban is not just ssh protection against brute force, but a whole modular mechanism. You can create your own filters (fail2ban filter), change actions (fail2ban action), connect via iptables, or use them on systems like fail2ban windows. This is a universal solution for security settings — from Ubuntu and Debian to CentOS and other Linux distributions.