Running MySQL on a VPS or dedicated server? That’s great—but without proper protection, your database could be a sitting duck for brute-force attacks. Even the strongest passwords won’t help if attackers can try login after login without restriction.
That’s where Fail2Ban steps in.
In this guide, we’ll show you how to use Fail2Ban to automatically block IP addresses that try (and fail) to break into your MySQL server. It’s simple, powerful, and a must-have if you care about security.
Why Secure MySQL?
MySQL is the backbone of many websites, apps, and internal systems. But it’s also a common target for brute-force attacks—automated bots hammer your login port, guessing usernames and passwords.
If left unchecked, it can lead to:
- Unauthorized access
- Data leaks or corruption
- Excessive server load
- Reputation damage (especially if compromised IPs are used)
What is Fail2Ban?
Fail2Ban is a lightweight intrusion prevention tool for Linux servers. It monitors log files for suspicious behavior—like repeated failed login attempts—and then bans those IPs automatically by modifying your firewall rules.
What Makes Fail2Ban Awesome?
- Works out of the box with most Linux distros
- Customizable rules (“jails”) per service (like MySQL, SSH, etc.)
- Sends email alerts if someone’s knocking too hard
- Works silently in the background
What You’ll Need
Before we dive in, make sure you have:
| Requirement | Description |
|---|---|
| MySQL Installed | Running and logging properly |
| Linux Server | Debian/Ubuntu or RHEL/CentOS preferred |
| Root Access | For editing configs and installing packages |
| Fail2Ban (we’ll install it) | Protects your logs in real-time |
💡 Pro Tip: Make sure MySQL is not exposed to the internet unless absolutely needed. If it is, then this guide is non-negotiable.
Step 1: Enable MySQL Logging
Fail2Ban works by monitoring log files. MySQL needs to log failed login attempts clearly.
On most systems:
- Edit the MySQL config:
bash
sudo nano /etc/mysql/mysql.conf.d/mysqld.cnf
- Under
[mysqld], add:
ini
log_error_verbosity = 3
- Restart MySQL:
bash
sudo systemctl restart mysql
- Trigger a failed login (on purpose):
bash
mysql -u wronguser -p
- Check logs:
bash
cat /var/log/mysql/error.log
You should see something like:
pgsql
[Note] Access denied for user 'wronguser'@'127.0.0.1'
That’s what Fail2Ban will look for.
Step 2: Install Fail2Ban
On Debian/Ubuntu:
bash
sudo apt update && sudo apt install fail2ban -y
On CentOS/RHEL:
bash sudo yum install epel-release -y sudo yum install fail2ban -y
For more read – Mastering yum reinstall and Repository Management on CentOS
Enable and start the service:
bash
sudo systemctl enable --now fail2ban
Step 3: Configure the MySQL Jail in Fail2Ban
Fail2Ban uses “jails” to define what logs to watch and how to respond.
- Create a new jail:
bash
sudo nano /etc/fail2ban/jail.d/mysqld.local
- Paste this config:
ini
[mysqld-auth]
enabled = true
filter = mysqld-auth
port = 3306
logpath = /var/log/mysql/error.log
maxretry = 5
findtime = 600
bantime = 3600
This means:
- 5 failed attempts in 10 minutes → 1 hour ban.
Step 4: Activate the Filter (If Not Already Available)
- Check for this file:
bash
ls /etc/fail2ban/filter.d/mysqld-auth.conf
If it’s not there, create it:
bash
sudo nano /etc/fail2ban/filter.d/mysqld-auth.conf
Add this:
ini
[Definition]
failregex = Access denied for user .* from '<HOST>'
ignoreregex =
Save and exit.
Step 5: Restart Fail2Ban & Test
bash
sudo systemctl restart fail2ban
Check status:
bash
sudo fail2ban-client status mysqld-auth
You should see:
- Currently banned IPs
- Number of attempts
Monitoring & Management
See all active jails:
bash
sudo fail2ban-client status
Unban an IP:
bash
sudo fail2ban-client set mysqld-auth unbanip YOUR.IP.ADDRESS
Pro Tips for Even Stronger Security
- Use UFW or firewalld to restrict MySQL to trusted IPs.
- Disable remote root login in MySQL:
sql
UPDATE mysql.user SET host='localhost' WHERE user='root';
- Change the MySQL port from 3306 to a non-standard port.
- Set up alerts so you get notified on bans:
ini
action = %(action_mwl)s
FAQs About Securing MySQL with Fail2Ban
Q1: Will this work for MariaDB too?
Yes! MariaDB is a MySQL fork and uses the same logging format.
Q2: Can I set permanent bans?
Yes. Just set:
ini
bantime = -1
to block IPs forever (use with caution).
Q3: What if Fail2Ban isn’t banning IPs?
Check:
- If MySQL is logging failed logins.
- That the path to the log file is correct.
- That the filter syntax matches your log format.
Q4: Is Fail2Ban enough to protect MySQL?
It helps—but combine it with firewall rules, secure passwords, and regular patching for full protection.
Q5: Can I use Fail2Ban with other services
Absolutely. You can use it for SSH, FTP, web servers, email, and more. Just enable the relevant jails.
Final Thoughts
If your MySQL server can be connected to through the internet in any way, you definitely need Fail2Ban. It acts as a bouncer at the door of your server, kicking out any intruders trying to gain access.
Set it once, and it quietly protects you in the background.
