Why Use Fail2Ban?
Xtream UI servers are often targets for brute-force attacks and scanners looking for vulnerabilities. Fail2Ban monitors your server logs (like Nginx access logs) for suspicious activity—such as repeated 404 errors or failed login attempts—and updates your firewall rules to ban those IP addresses automatically.
1Step 1: Install Fail2Ban
First, we need to install the Fail2Ban package on your Ubuntu server. Open your terminal (PuTTY) and run:
2Step 2: Define the Filter
We need to tell Fail2Ban what to look for. We will create a filter configuration file that defines the "bad behavior" using Regular Expressions (Regex).
Create a new file named xtream.conf:
Paste the following content into the file. This regex targets specific attack patterns often seen on Xtream UI servers:
Press CTRL+X, then Y, then Enter to save.
3Step 3: Configure the Jail
Now we create a "Jail" that uses our filter. This tells Fail2Ban which log file to watch, how many failures are allowed, and how long to ban the IP.
Open or create jail.local:
Add the following configuration block:
Note: Change YOUR_OWN_IP to your actual home/office IP address to prevent locking yourself out.
4Step 4: Verify Nginx Logging
Fail2Ban relies on logs. You must ensure your Xtream UI Nginx configuration is actually writing to the log file we specified.
Check your Nginx config:
Make sure there is a line enabling the access log, similar to:
5Step 5: Restart and Test
Finally, restart the Fail2Ban service to apply the changes.
To check if it is working and see currently banned IPs, you can use:
Advanced: Log Rotation
To prevent your log file from getting too huge, you can add a cron job to clear it periodically. This keeps Fail2Ban efficient.
Add this to your crontab (crontab -e):
This empties the log file every hour.