📘Install Fail2Ban on AlmaLinux 9 / CloudLinux 9 (for cPanel)

By /

Fail2Ban helps secure your server by monitoring logs and banning IPs showing malicious signs — like too many password failures or exploits.

✅ This guide works for both AlmaLinux 9 and CloudLinux 9 with cPanel/WHM installed.

🛠️ Step 1: Install EPEL Repository

Fail2Ban isn’t included in default repos, so you need EPEL (Extra Packages for Enterprise Linux).

dnf install epel-release -y
dnf update -y

📦 Step 2: Install Fail2Ban

dnf install fail2ban -y

🧠 Step 3: Understand Fail2Ban Directory Structure

Config files:

  • /etc/fail2ban/fail2ban.conf – main config
  • /etc/fail2ban/jail.conf – default jail rules (DO NOT MODIFY)
  • /etc/fail2ban/jail.local – override config here
  • /etc/fail2ban/jail.d/*.conf – service-specific jails

🛡️ Step 4: Basic Fail2Ban Setup

Create a new config file:

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Now edit /etc/fail2ban/jail.local:

nano /etc/fail2ban/jail.local

At a minimum, enable the sshd jail:

[sshd]
enabled = true
port = ssh
logpath = %(sshd_log)s
maxretry = 5

Save and exit.

🔐 Step 5: Create Jail for cPanel/WHM/FTP Services

Optional: Create jails for Pure-FTPd, cPanel login, etc.

Example: /etc/fail2ban/jail.d/cpanel.conf

[cpanel-login]
enabled = true
filter = cpanel-login
logpath = /usr/local/cpanel/logs/login_log
maxretry = 5
bantime = 3600
findtime = 600
action = iptables-allports[name=cpanel-login]

[pure-ftpd]

enabled = true filter = pure-ftpd logpath = /var/log/messages maxretry = 5 bantime = 3600

Then create the corresponding filters in /etc/fail2ban/filter.d/

Example: /etc/fail2ban/filter.d/cpanel-login.conf

[Definition]
failregex = ^.*authentication failed for .* from <HOST>$
ignoreregex =

Note: You’ll need to customize filters based on actual log patterns.

🚀 Step 6: Enable and Start Fail2Ban

systemctl enable fail2ban
systemctl start fail2ban

Check status:

systemctl status fail2ban

🔍 Step 7: Check Banned IPs (Optional)

fail2ban-client status
fail2ban-client status sshd

🧽 Optional: Whitelist IPs

Add trusted IPs to ignore list:

nano /etc/fail2ban/jail.local

Inside [DEFAULT], add:

ignoreip = 127.0.0.1/8 192.168.1.0/24 YOUR.PUBLIC.IP

🔁 Restart Fail2Ban After Changes

systemctl restart fail2ban

🧪 Troubleshooting

  • Check logs at /var/log/fail2ban.log
  • Use fail2ban-client reload to reload config
  • Use fail2ban-client set JAIL unbanip IP to unban manually
Scroll to Top