SaaS-Secure.com

Online Services

Centralize Fail2Ban — Part 1

Share every blocked IP across all hosts so attackers caught on one node never slip into the others. Central storage keeps every agent aligned, automated, and ready for rapid response.

Talk with our security team See the how-to
Keep out shield

Why centralize Fail2Ban?

Fail2Ban protects only the machine it runs on. Logging every detected IP to a shared database lets every connected service block that threat instantly, saving time and preventing attackers from hopping across your network.

The database becomes the single source of truth, while agents consume entries before banning. This opens the door to dashboards, reporting, and automated escalation.

Central database

Create a `fail2ban` table (MyISAM or InnoDB + utf8mb4) to store hostname, port, protocol, and banned IP. Every agent reads it before enforcing the ban list.

System prep

Install PHP, MySQL/MariaDB, Fail2Ban, and iptables. Ubuntu quickstart: `sudo apt-get install php7.4 mysql-server fail2ban iptables`.

Distribute bans

Use a PHP helper that logs jail, protocol, port, and IP to the database so every node can apply the same restrictions without duplication.

Database schema

Store metadata so you can query, audit, or forward bans to reporting tools. 

CREATE TABLE IF NOT EXISTS `fail2ban` (
  `id` bigint(20) unsigned NOT NULL AUTO_INCREMENT,
  `hostname` varchar(255) COLLATE utf8mb4_unicode_ci DEFAULT NULL,
  `created` datetime NOT NULL,
  `name` text COLLATE utf8mb4_unicode_ci NOT NULL,
  `protocol` varchar(16) COLLATE utf8mb4_unicode_ci NOT NULL,
  `port` varchar(32) COLLATE utf8mb4_unicode_ci NOT NULL,
  `ip` varchar(64) COLLATE utf8mb4_unicode_ci NOT NULL,
  PRIMARY KEY (`id`),
  KEY `hostname` (`hostname`,`ip`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci;

Fail2Ban helper script

Save the helper as `/root/fail2ban.php`, grant execute rights, and call it from action scripts with sanitized parameters. 

root@devserv3:~# cd /root && touch fail2ban.php && chmod +x fail2ban.php

Test with `./fail2ban.php jailname ssh 22 123.123.123.123` and confirm the database stores the record.

Need help?

We assist with the helper, database setup, and Cloud-IPS integration so your infrastructure stays resilient.

Connect to Fail2Ban

Update `/etc/fail2ban/jail.conf` (or `jail.local`), define jails, and set `banaction` to call the helper so the database is updated alongside iptables. 

root@devserv3:~# cd /etc/fail2ban/
...
[pam-generic]
enabled  = true
filter   = pam-generic
port     = all
banaction = iptables-multiport
logpath  = /var/log/auth.log

Append the helper to `action.d/iptables-multiport.conf` so the ban list and database stay in sync. 

actionban = iptables -I fail2ban- 1 -s  -j DROP /root/fail2ban.php

Restart Fail2Ban and inspect logs to ensure the new action runs without errors.

Next up: part 2

See how to read the shared IPs from the database and lock them across hosts.

Read part 2
Back to articles