๐Ÿ“˜Install Fail2Ban on AlmaLinux 9 / CloudLinux 9 (for cPanel)

By /

Fail2Ban helps secure your server by monitoring logs and banning IPs showing malicious signs โ€” like too many password failures or exploits.

โœ… This guide works for both AlmaLinux 9 and CloudLinux 9 with cPanel/WHM installed.

๐Ÿ› ๏ธ Step 1: Install EPEL Repository

Fail2Ban isnโ€™t included in default repos, so you need EPEL (Extra Packages for Enterprise Linux).

dnf install epel-release -y
dnf update -y

๐Ÿ“ฆ Step 2: Install Fail2Ban

dnf install fail2ban -y

๐Ÿง  Step 3: Understand Fail2Ban Directory Structure

Config files:

  • /etc/fail2ban/fail2ban.conf โ€“ main config
  • /etc/fail2ban/jail.conf โ€“ default jail rules (DO NOT MODIFY)
  • /etc/fail2ban/jail.local โ€“ override config here
  • /etc/fail2ban/jail.d/*.conf โ€“ service-specific jails

๐Ÿ›ก๏ธ Step 4: Basic Fail2Ban Setup

Create a new config file:

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Now edit /etc/fail2ban/jail.local:

nano /etc/fail2ban/jail.local

At a minimum, enable the sshd jail:

[sshd]
enabled = true
port = ssh
logpath = %(sshd_log)s
maxretry = 5

Save and exit.

๐Ÿ” Step 5: Create Jail for cPanel/WHM/FTP Services

Optional: Create jails for Pure-FTPd, cPanel login, etc.

Example: /etc/fail2ban/jail.d/cpanel.conf

[cpanel-login]
enabled = true
filter = cpanel-login
logpath = /usr/local/cpanel/logs/login_log
maxretry = 5
bantime = 3600
findtime = 600
action = iptables-allports[name=cpanel-login]

[pure-ftpd]

enabled = true filter = pure-ftpd logpath = /var/log/messages maxretry = 5 bantime = 3600

Then create the corresponding filters in /etc/fail2ban/filter.d/

Example: /etc/fail2ban/filter.d/cpanel-login.conf

[Definition]
failregex = ^.*authentication failed for .* from <HOST>$
ignoreregex =

Note: You’ll need to customize filters based on actual log patterns.

๐Ÿš€ Step 6: Enable and Start Fail2Ban

systemctl enable fail2ban
systemctl start fail2ban

Check status:

systemctl status fail2ban

๐Ÿ” Step 7: Check Banned IPs (Optional)

fail2ban-client status
fail2ban-client status sshd

๐Ÿงฝ Optional: Whitelist IPs

Add trusted IPs to ignore list:

nano /etc/fail2ban/jail.local

Inside [DEFAULT], add:

ignoreip = 127.0.0.1/8 192.168.1.0/24 YOUR.PUBLIC.IP

๐Ÿ” Restart Fail2Ban After Changes

systemctl restart fail2ban

๐Ÿงช Troubleshooting

  • Check logs at /var/log/fail2ban.log
  • Use fail2ban-client reload to reload config
  • Use fail2ban-client set JAIL unbanip IP to unban manually
Scroll to Top