fail2ban Setup
Installed 2026-02-25 across all servers to mitigate SSH brute-force attacks.
Problem
All servers were receiving sustained SSH brute-force attempts. The N8N server (omelas-hk) had accumulated 837 MB of failed login records in btmp logs alone, indicating thousands of automated attack attempts.
Configuration
Identical configuration deployed to all servers:
# /etc/fail2ban/jail.local
[DEFAULT]
bantime = 1h
findtime = 10m
maxretry = 5
banaction = iptables-multiport
[sshd]
enabled = true
port = ssh
logpath = /var/log/auth.log
maxretry = 3
bantime = 24h
Rules
- 3 failed SSH attempts within 10 minutes triggers a 24-hour IP ban
- Bans are enforced via iptables firewall rules
- fail2ban is enabled as a systemd service (survives reboots)
Servers Covered
| Server | IP | Status | Notes |
|---|---|---|---|
| CMS Droplet | 178.128.183.166 | Active | Low attack volume |
| N8N Server | 68.183.83.159 | Active | Heaviest attacks (36+ IPs banned immediately) |
| N8N Worker | 159.203.80.93 | Active | Moderate attacks |
| OVH VPS | 192.99.145.61 | Active | 137 total bans, sustained attacks |
Useful Commands
# Check status
fail2ban-client status sshd
# Unban a specific IP
fail2ban-client set sshd unbanip <IP>
# Check jail configuration
fail2ban-client get sshd bantime
fail2ban-client get sshd maxretry
# View banned IPs
fail2ban-client status sshd | grep 'Banned IP'
# Check fail2ban logs
tail -f /var/log/fail2ban.log
Not Covered
- Hostinger (88.223.84.186) — shared hosting, no root access to install fail2ban