Fail2ban is an open-source tool that helps secure Linux servers by detecting repeated failed login attempts and automatically blocking suspicious IPs through the firewall (iptables, nftables, firewalld…). It is a simple yet very effective solution to prevent brute-force attacks on SSH, FTP, web, mail services, etc.
Install Fail2ban
On Ubuntu/Debian, you can install it directly from the default repository:
sudo apt update
sudo apt install fail2ban -y
After installation, the service will automatically start. Check the status:
sudo systemctl status fail2ban
You should also enable Fail2ban to start automatically with the system:
sudo systemctl enable fail2ban
Basic Fail2ban Configuration
The main configuration file is located at:
/etc/fail2ban/jail.conf
However, you should not edit jail.conf directly. Instead, create a copy named jail.local
:
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Key Parameters
- bantime: The ban duration for an IP (default: 10 minutes). Example: 1 hour
- findtime: The time window to track failed login attempts (default: 10 minutes).
- maxretry: Number of failed attempts allowed before banning (default: 5).
- backend: How fail2ban reads logs (systemd, polling, gamin…).
Enable SSH Jail
In /etc/fail2ban/jail.local
, enable SSH protection:
[sshd]
enabled = true
port = ssh
logpath = %(sshd_log)s
maxretry = 5
With this configuration, Fail2ban will monitor SSH login attempts in the system log file. If there are more than 5 failed login attempts within the defined time window (findtime
, default 10 minutes), the attacker’s IP will be automatically banned for the duration specified in bantime
(default 10 minutes, or as you configure).
Restart the service to apply changes:
sudo systemctl restart fail2ban
Check active jails:
sudo fail2ban-client status
sudo fail2ban-client status sshd
Some Basic Configuration Examples
Example 1: Ban IP after 3 failed login attempts within 15 minutes, block for 2 hours
[sshd]
enabled = true
port = 22
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
findtime = 15m
bantime = 2h
Example 2: Protect Nginx from brute-force attacks
If you’re using Nginx, enable the jail:
[nginx-http-auth]
enabled = true
filter = nginx-http-auth
port = http,https
logpath = /var/log/nginx/error.log
maxretry = 3
Example 3: Add whitelist IPs (never banned)
In [DEFAULT]
:
ignoreip = 127.0.0.1/8 ::1 192.168.1.100
Manage Fail2ban with Commands
Check service status:
sudo systemctl status fail2ban
List enabled jails:
sudo fail2ban-client status
View details of a jail:
sudo fail2ban-client status sshd
Manually unban an IP:
sudo fail2ban-client set sshd unbanip 192.168.1.50
Conclusion
Fail2ban is an extremely useful tool to protect Linux servers against brute-force attacks. With just a few basic configurations, you can significantly reduce the risk of attacks on SSH, web, mail, and other services.
Read more
- Install and Integrate OpenDKIM with Postfix | Sign & Authenticate Your Emails
- What is OpenDKIM? A Simple Guide from Basics to How It Works
- How to Install and Configure Fail2ban on Ubuntu/Debian
- Install n8n Server on Linux VPS (Ubuntu/Debian) | Docker + FreeSSL + Nginx
- How to Set Up WordPress Website on Ubuntu/Debian | Secure with Free SSL (Let’s Encrypt)