Fail2ban is an open-source tool that helps secure Linux servers by detecting repeated failed login attempts and automatically blocking suspicious IPs through the firewall (iptables, nftables, firewalld…). It is a simple yet very effective solution to prevent brute-force attacks on SSH, FTP, web, mail services, etc.
Install Fail2ban
On Ubuntu/Debian, you can install it directly from the default repository:
sudo apt update
sudo apt install fail2ban -y
After installation, the service will automatically start. Check the status:
sudo systemctl status fail2ban
You should also enable Fail2ban to start automatically with the system:
sudo systemctl enable fail2ban
Basic Fail2ban Configuration
The main configuration file is located at:
/etc/fail2ban/jail.conf
However, you should not edit jail.conf directly. Instead, create a copy named jail.local:
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Key Parameters
- bantime: The ban duration for an IP (default: 10 minutes). Example: 1 hour
- findtime: The time window to track failed login attempts (default: 10 minutes).
- maxretry: Number of failed attempts allowed before banning (default: 5).
- backend: How fail2ban reads logs (systemd, polling, gamin…).
Enable SSH Jail
In /etc/fail2ban/jail.local, enable SSH protection:
[sshd]
enabled = true
port = ssh
logpath = %(sshd_log)s
maxretry = 5
With this configuration, Fail2ban will monitor SSH login attempts in the system log file. If there are more than 5 failed login attempts within the defined time window (findtime, default 10 minutes), the attacker’s IP will be automatically banned for the duration specified in bantime (default 10 minutes, or as you configure).
Restart the service to apply changes:
sudo systemctl restart fail2ban
Check active jails:
sudo fail2ban-client status
sudo fail2ban-client status sshd
Some Basic Configuration Examples
Example 1: Ban IP after 3 failed login attempts within 15 minutes, block for 2 hours
[sshd]
enabled = true
port = 22
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
findtime = 15m
bantime = 2h
Example 2: Protect Nginx from brute-force attacks
If you’re using Nginx, enable the jail:
[nginx-http-auth]
enabled = true
filter = nginx-http-auth
port = http,https
logpath = /var/log/nginx/error.log
maxretry = 3
Example 3: Add whitelist IPs (never banned)
In [DEFAULT]:
ignoreip = 127.0.0.1/8 ::1 192.168.1.100
Manage Fail2ban with Commands
Check service status:
sudo systemctl status fail2ban
List enabled jails:
sudo fail2ban-client status
View details of a jail:
sudo fail2ban-client status sshd
Manually unban an IP:
sudo fail2ban-client set sshd unbanip 192.168.1.50
Conclusion
Fail2ban is an extremely useful tool to protect Linux servers against brute-force attacks. With just a few basic configurations, you can significantly reduce the risk of attacks on SSH, web, mail, and other services.
Read more
- Install and Integrate OpenDKIM with Postfix | Sign & Authenticate Your Emails
- What is OpenDKIM? A Simple Guide from Basics to How It Works
- How to Install and Configure Fail2ban on Ubuntu/Debian
- Install n8n Server on Linux VPS (Ubuntu/Debian) | Docker + FreeSSL + Nginx
- How to Set Up WordPress Website on Ubuntu/Debian | Secure with Free SSL (Let’s Encrypt)