Fail2ban with Nginx Jails: A Dynamic Duo for Server Security

Any service that is open to public is a potential threat, so implementing security is a very important part in the design of the server or infrastructure. Securing the server involves implementing the security measures, monitor the logs, and update the security measures based on the stats and regular maintenance and updates.

Fail2ban with Nginx is one of the duo combination while considering the speed, performance, and security of a web server. Fail2ban is an Intrusion Prevention software framework that is written in the Python programming language. It handles the security part and Nginx deals with the speed and performance part. In this article, we will discuss about how fail2ban with Nginx will secure the server from suspicious activities.

Benefit of Using Nginx in Hosting

Nginx is a versatile and powerful web server that offers numerous benefits when used for hosting websites and web applications. One of its key advantages is its exceptional performance and efficiency. Nginx is engineered to handle a high volume of simultaneous connections and serve a static content quickly, making it an ideal choice for hosting environments with heavy traffic loads. Its efficient use of system resources means that it can serve more users with less hardware, ultimately reducing the hosting costs.

Another significant benefit of using Nginx in hosting is its ability to act as a reverse proxy server and load balancer. Nginx can distribute the incoming web traffic across multiple backend servers, ensuring an even distribution and high availability. This load balancing capability enhances the overall reliability and fault tolerance of hosting services, making it particularly valuable for websites and applications that require continuous uptime and scalability. Additionally, Nginx’s support for SSL/TLS termination, security features, and ease of configuration further contribute to its popularity in hosting environments, making it a reliable choice for serving the web content securely and efficiently.

How Does Fail2ban Secure the Server

Fail2ban is an intrusion prevention software framework which secure the server by actively monitor the logs for any malicious activities and scanning the files for entries that match the identified patterns. If Fail2ban detects continuous login failure attempts, it blocks the source IP in the firewall. By default, it is configured to use the iptables firewall, but you can customize it to firewalld or ufw. In Centos 8 servers, we can install fail2ban-firewalld to switch to firewalld. You can make your server more secure by setting up jails for services like SSH, Nginx, Apache, and email.

Fail2ban with Nginx

Using Fail2ban with Nginx offers notable advantages for bolstering the security of your web server and applications. This dynamic duo excels at thwarting the brute force attacks, automatically identifying and blocking the IP addresses that are responsible for repeated login failures. Fail2ban’s ability to mitigate certain DDoS attacks by detecting and banning the IP addresses that generate excessive requests in a short time span also enhances the server availability. Moreover, it excels at combatting the web scraping bots and other malicious automated tools, preserving the server resources and bandwidth. Customizable security rules allow the tailoring protection to your application’s specific needs, whether you host multiple web apps or a single site. Fail2ban’s logging, alerting capabilities, and seamless integration with other security tools make it a valuable addition to your security strategy, improving the server stability and protecting the user authentication processes. Furthermore, Fail2ban adapts to evolving threats, ensuring a robust protection over time.

Pairing Fail2ban with Nginx is an effective strategy to safeguard your web server. It automatically identifies and blocks malicious activity, reducing the risk of unauthorized access and DDoS attacks while also enhancing the server performance and stability. This proactive and adaptable security layer, supported by an active open-source community, complements other security measures for comprehensive protection. Proper configuration and maintenance are key to maximizing the benefits of Fail2ban in your hosting environment.

Fail2Ban Installation

The installation of fail2ban can be achieved in a few simple commands. The commands are different depending on the operating system that you’re using. Here, we refer to the commands that are used in Ubuntu and CentOS.

For Ubuntu/Debian, you can use the following commands to install fail2ban:

apt update
apt install fail2ban

You may notice “sudo” in the commands in other blogs/docs. Note that you need to use “sudo” if you are running these commands as non-root user. As far as I know, most of the admins are doing the installation process as a root user, so there is no need of the “sudo” command. If you are running as a non-root user, “sudo” is needed to get the privileges to install it.

For CentOS/RHEL:

yum install epel-release
yum install fail2ban

In some server, the “epel-release” repository is already installed. In that case, you can simply run the fail2ban installation. Also, you enable the service, start, and get the status using the following commands:

systemctl enable fail2ban
systemctl start fail2ban
systemctl status fail2ban

Fail2ban Configuration

Create a custom fail2ban configuration file for Nginx. You can do this by creating a new “.conf” file in the “/etc/fail2ban/filter.d/” directory. Let’s call it “nginx-auth.conf”.

File: /etc/fail2ban/filter.d/nginx-auth.conf

Sample Content:

failregex = ^ \[error\] \d+#\d+: \*\d+ auth_basic
            ^ \[error\] \d+#\d+: \*\d+ no user/password was provided for basic authentication.*

Note: The configuration entries are sample entries; you need to refer to the official documentation. Also, use this code at your own risk.

Create a Jail Configuration for Nginx

Now, create a jail configuration especifically for Nginx. Open the “jail.local” file for editing:

Use the following sample configuration:

enabled  = true
filter   = nginx-auth
logpath  = /var/log/nginx/error.log
maxretry = 3
findtime = 600
bantime  = 3600

Explanation of each configuration entries:

enabled : Set to true to enable the Nginx jail.

filter : The name of the filter configuration file (created earlier).

Logpath : The path to your Nginx error log file.

maxretry: The number of allowed login attempts before banning an IP.

findtime: The time window (in seconds) during which the maxretry attempts are counted.

bantime : The duration (in seconds) for which an IP is banned.

Fail2ban is now configured to monitor the Nginx logs for authentication failures and ban the IP addresses that exceed the configured threshold. It’s essential to keep an eye on the fail2ban logs and tweak the configuration as necessary to align with your server’s security needs. Monitoring and fine-tuning are key to maintaining the effective security measures.

In fail2ban, you have the flexibility to make various customizations according to your specific needs. You can configure the options such as email notifications, ignore specific IP addresses, and set the ban times based on your requirements. To explore the further configuration details, review the configuration file for comprehensive settings.

Fail2ban Jails

A fail2ban jail is a combination of a filter and one or several actions. A filter defines a regular expression that matches a pattern corresponding to a failed login attempt or another suspicious activity. Actions define commands that are executed when the filter catches an abusive IP address.

There are some inbuilt jails available in fail2ban and we can enable the jails based on our requirements. And you can see the different jail configuration files under the “/etc/fail2ban/filter.d” configuration directory.

We can use the following command to get the information about the enabled jails:

fail2ban-client status

More details about the jails can be seen using the following command:

fail2ban-client status nginx-auth

Some of the necessary jails that are enabled in the server to improve the security of the server:

  • SSH Jail
  • Nginx/Apache Jail
  • FTP Jail
  • Mail Server Jail
  • Web Application Jail
  • DDoS Protection Jail
  • Custom Jails – Fail2Ban for WordPress, Webmin, etc.

Depending on your server’s setup and the services you’re running, you may need to create custom jails that are tailored to your specific requirements. This allows you to monitor and protect against unique threats.


In summary, the combination of fail2ban with Ngix offers a major role in the server security. It actively monitors the logs and helps us to keep the server secure. Nginx offers faster loading times and better performance and fail2ban acts as a security guard to monitor the malicious activities in the server by monitoring the logs. Proper setup, regular updates, and maintenance are needed to keep the server secure in today’s evolving cybersecurity landscape.

About the author

Suhesh K.S.

Mr. Suhesh KS is Linux System Administrator by profession with 10 Years of work experience in Linux system administration in web hosting, data center and data warehousing industry and have worked with reputed support companies. His wide range of skills include team management, system administration ( Linux ), programming ( bash, perl, php, java ,python), web hosting, data center support, cPanel Plugin development, website optimisation, Social media marketing.