# Installation

[![fail2ban_2.png](https://docs.rakouns.bzh/uploads/images/gallery/2026-06/scaled-1680-/fail2ban-2.png)](https://docs.rakouns.bzh/uploads/images/gallery/2026-06/fail2ban-2.png)

## Installation générique (Debian/Ubuntu)

```bash
sudo apt update
sudo apt install fail2ban -y
```

<span style="color: #1a1a1a;">Vérifier que le service est actif :</span>

```
sudo systemctl status fail2ban
sudo systemctl enable --now fail2ban
```

## Installation sur AlmaLinux/RHEL

```
sudo dnf install epel-release -y
sudo dnf install fail2ban fail2ban-systemd -y
sudo systemctl enable --now fail2ban
```

### Bascule iptables-legacy (requis sur AlmaLinux)

<span style="color: #1a1a1a;">Sur AlmaLinux, le mode </span><span style="font-size: 10.5pt; line-height: 120%; font-family: Consolas; mso-fareast-font-family: Consolas; mso-bidi-font-family: Consolas; color: #ae3a78; background: #F7F0F4;">nftables</span><span style="color: #1a1a1a;"> par défaut pose des soucis de compatibilité avec certaines actions fail2ban orientées iptables. Bascule en mode legacy :</span>

```
sudo dnf install iptables-services -y
sudo alternatives --set iptables /usr/sbin/iptables-legacy
sudo alternatives --set ip6tables /usr/sbin/ip6tables-legacy
sudo systemctl enable --now iptables
sudo systemctl restart fail2ban
```

<span style="color: #1a1a1a;">Vérifier la bascule :</span>

```
sudo alternatives --display iptables
```

## Arborescence de configuration

<span style="color: #1a1a1a;">Fail2ban utilise deux types de fichiers, à ne **jamais** modifier dans </span><span style="font-size: 10.5pt; line-height: 120%; font-family: Consolas; mso-fareast-font-family: Consolas; mso-bidi-font-family: Consolas; color: #ae3a78; background: #F7F0F4;">/etc/fail2ban/jail.conf</span><span style="color: #1a1a1a;"> ou </span><span style="font-size: 10.5pt; line-height: 120%; font-family: Consolas; mso-fareast-font-family: Consolas; mso-bidi-font-family: Consolas; color: #ae3a78; background: #F7F0F4;">/etc/fail2ban/filter.d/\*.conf</span><span style="color: #1a1a1a;"> (écrasés lors des mises à jour). Toujours passer par les fichiers </span><span style="font-size: 10.5pt; line-height: 120%; font-family: Consolas; mso-fareast-font-family: Consolas; mso-bidi-font-family: Consolas; color: #ae3a78; background: #F7F0F4;">.local</span><span style="color: #1a1a1a;"> :</span>

```
/etc/fail2ban/
├── jail.conf          # NE PAS MODIFIER (fichier par défaut)
├── jail.local          # Config globale perso (créé manuellement)
├── jail.d/
│   └── rakouns-*.conf  # Une jail par service, convention Rakouns
├── filter.d/
│   ├── *.conf          # Filtres fournis par défaut
│   └── rakouns-*.conf  # Filtres personnalisés
└── action.d/
    ├── *.conf
    └── iptables-docker.conf  # Action custom pour cibler DOCKER-USER
```

<span style="color: #1a1a1a;">Créer la config globale de base si elle n'existe pas :</span>

<table border="1" cellpadding="0" cellspacing="0" class="MsoNormalTable" id="bkmrk-sudo-touch-%2Fetc%2Ffail" style="width: 468.0pt; border-collapse: collapse; border: none; mso-border-alt: solid #D9D9D9 .5pt; mso-yfti-tbllook: 1184; mso-padding-alt: 0cm .5pt 0cm .5pt; mso-border-insideh: 0cm none white; mso-border-insidev: 0cm none white;" width="624"><tbody><tr style="mso-yfti-irow: 0; mso-yfti-firstrow: yes; mso-yfti-lastrow: yes;"><td style="width: 468.0pt; border: solid #D9D9D9 1.0pt; mso-border-alt: solid #D9D9D9 .5pt; background: #F2F2F2; padding: 6.0pt 8.0pt 6.0pt 8.0pt;" valign="top" width="624"><span lang="EN-GB" style="font-size: 9.5pt; line-height: 110%; font-family: Consolas; mso-fareast-font-family: Consolas; mso-bidi-font-family: Consolas; color: #1a1a1a; mso-ansi-language: EN-GB;">sudo touch /etc/fail2ban/jail.local</span>

</td></tr></tbody></table>

<span style="color: #1a1a1a;">Exemple de socle dans </span><span style="font-size: 10.5pt; line-height: 120%; font-family: Consolas; mso-fareast-font-family: Consolas; mso-bidi-font-family: Consolas; color: #ae3a78; background: #F7F0F4;">jail.local</span><span style="color: #1a1a1a;"> (valeurs par défaut appliquées à toutes les jails, sauf surcharge) :</span>

```
[DEFAULT]
bantime  = 1h
findtime = 10m
maxretry = 5
backend  = auto
ignoreip = 127.0.0.1/8 192.168.1.0/24
```

<p class="callout info">**<span style="font-size: 10.5pt; line-height: 115%; color: #1f2d3d;">Note — </span>**<span style="font-size: 10.5pt; line-height: 115%; color: #1a1a1a;">ignoreip doit inclure ton réseau local pour éviter de te bannir toi-même pendant les tests.</span></p>

## Cas Docker : l'action iptables-docker

<span style="color: #1a1a1a;">Comme évoqué en page 1, le ban standard via la chaîne </span><span style="font-size: 10.5pt; line-height: 120%; font-family: Consolas; mso-fareast-font-family: Consolas; mso-bidi-font-family: Consolas; color: #ae3a78; background: #F7F0F4;">INPUT</span><span style="color: #1a1a1a;"> n'a aucun effet sur le trafic redirigé vers des conteneurs Docker, car Docker insère ses propres règles dans la chaîne </span><span style="font-size: 10.5pt; line-height: 120%; font-family: Consolas; mso-fareast-font-family: Consolas; mso-bidi-font-family: Consolas; color: #ae3a78; background: #F7F0F4;">DOCKER-USER</span><span style="color: #1a1a1a;"> avant que la chaîne </span><span style="font-size: 10.5pt; line-height: 120%; font-family: Consolas; mso-fareast-font-family: Consolas; mso-bidi-font-family: Consolas; color: #ae3a78; background: #F7F0F4;">INPUT</span><span style="color: #1a1a1a;"> ne soit évaluée.</span>

<span style="color: #1a1a1a;">Créer </span><span style="font-size: 10.5pt; line-height: 120%; font-family: Consolas; mso-fareast-font-family: Consolas; mso-bidi-font-family: Consolas; color: #ae3a78; background: #F7F0F4;">/etc/fail2ban/action.d/iptables-docker.conf</span><span style="color: #1a1a1a;"> :</span>

```
[Definition]
actionstart = iptables -N f2b-<name>
              iptables -A f2b-<name> -j RETURN
              iptables -I DOCKER-USER -j f2b-<name>
 
actionstop = iptables -D DOCKER-USER -j f2b-<name>
             iptables -F f2b-<name>
             iptables -X f2b-<name>
 
actioncheck = iptables -n -L DOCKER-USER | grep -q 'f2b-<name>[ \t]'
 
actionban = iptables -I f2b-<name> 1 -s <ip> -j DROP
 
actionunban = iptables -D f2b-<name> -s <ip> -j DROP
 
[Init]
name = default
```

<span style="color: #1a1a1a;">Cette action sera référencée dans chaque jail concernée (voir Page 4).</span>

## Vérification rapide de l'installation

```
sudo fail2ban-client status
sudo fail2ban-client version
```