How to Install and Configure Fail2ban on Ubuntu/Debian

Fail2ban is an open-source tool that helps secure Linux servers by detecting repeated failed login attempts and automatically blocking suspicious IPs through the firewall (iptables, nftables, firewalld…). It is a simple yet very effective solution to prevent brute-force attacks on SSH, FTP, web, mail services, etc.

Install Fail2ban

On Ubuntu/Debian, you can install it directly from the default repository:

sudo apt update
sudo apt install fail2ban -y

After installation, the service will automatically start. Check the status:

sudo systemctl status fail2ban

You should also enable Fail2ban to start automatically with the system:

sudo systemctl enable fail2ban

Basic Fail2ban Configuration

The main configuration file is located at:

/etc/fail2ban/jail.conf

However, you should not edit jail.conf directly. Instead, create a copy named jail.local:

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Key Parameters

  • bantime: The ban duration for an IP (default: 10 minutes). Example: 1 hour
  • findtime: The time window to track failed login attempts (default: 10 minutes).
  • maxretry: Number of failed attempts allowed before banning (default: 5).
  • backend: How fail2ban reads logs (systemd, polling, gamin…).

Enable SSH Jail

In /etc/fail2ban/jail.local, enable SSH protection:

[sshd]
enabled = true
port = ssh
logpath = %(sshd_log)s
maxretry = 5

With this configuration, Fail2ban will monitor SSH login attempts in the system log file. If there are more than 5 failed login attempts within the defined time window (findtime, default 10 minutes), the attacker’s IP will be automatically banned for the duration specified in bantime (default 10 minutes, or as you configure).

Restart the service to apply changes:

sudo systemctl restart fail2ban

Check active jails:

sudo fail2ban-client status
sudo fail2ban-client status sshd

Some Basic Configuration Examples

Example 1: Ban IP after 3 failed login attempts within 15 minutes, block for 2 hours

[sshd]
enabled = true
port = 22
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
findtime = 15m
bantime = 2h

Example 2: Protect Nginx from brute-force attacks

If you’re using Nginx, enable the jail:

[nginx-http-auth]
enabled = true
filter = nginx-http-auth
port = http,https
logpath = /var/log/nginx/error.log
maxretry = 3

Example 3: Add whitelist IPs (never banned)

In [DEFAULT]:

ignoreip = 127.0.0.1/8 ::1 192.168.1.100

Manage Fail2ban with Commands

Check service status:

sudo systemctl status fail2ban

List enabled jails:

sudo fail2ban-client status

View details of a jail:

sudo fail2ban-client status sshd

Manually unban an IP:

sudo fail2ban-client set sshd unbanip 192.168.1.50

Conclusion

Fail2ban is an extremely useful tool to protect Linux servers against brute-force attacks. With just a few basic configurations, you can significantly reduce the risk of attacks on SSH, web, mail, and other services.

Read more

Leave a Reply

Your email address will not be published. Required fields are marked *