To home page

Installing and configuring Fail2ban

How to protect your SSH server from brute-force attacks with Fail2ban.

Fail2ban is a daemon that watches your log files and automatically bans IP addresses that show suspicious behaviour — too many failed login attempts, port scans, and similar patterns. It's one of the simplest and most effective ways to keep brute-force attacks from hammering your SSH server.

Installation

Ubuntu / Debian:

apt-get install fail2ban

CentOS:

yum install fail2ban

How the configuration is structured

Fail2ban has two main config files:

  • /etc/fail2ban/fail2ban.conf — controls how the Fail2ban process itself starts and runs
  • /etc/fail2ban/jail.conf — defines protection rules for specific services, including SSH

The jail.conf file is divided into sections called jails — each one targets a specific service and attack type:

[DEFAULT]
ignoreip = 127.0.0.1/8
bantime  = 600
maxretry = 3
banaction = iptables-multiport

[ssh]
enabled  = true
port     = ssh
filter   = sshd
logpath  = /var/log/auth.log
maxretry = 6

Settings in the [DEFAULT] section apply to every jail unless explicitly overridden in a specific section.

The [ssh] jail handles protection against repeated failed login attempts — classic brute-force.

Key parameters explained

  • ignoreip — IP addresses that should never be banned. Accepts a space-separated list of IPs, subnet masks, or DNS names.
  • bantime — how long (in seconds) an IP stays banned before being automatically released.
  • maxretry — the number of matching events that triggers a ban. For [ssh], this is the number of failed login attempts.
  • findtime — the time window (in seconds) in which maxretry events must occur for a ban to kick in. Defaults to 600 seconds (10 minutes).
  • enabled — set to true to activate a jail, false to disable it.
  • port — the port your service listens on. For SSH, this is 22 or the alias ssh.
  • filter — the name of the filter file containing the regex patterns Fail2ban uses to detect suspicious events. The sshd filter lives at /etc/fail2ban/filter.d/sshd.conf.
  • logpath — the log file Fail2ban monitors. All login activity (successful and failed) is recorded in /var/log/auth.log by default.

Configuration best practices

Never edit jail.conf directly. Fail2ban is designed to be customised through .local files — they're loaded automatically and take priority over the defaults. This way your changes survive package updates.

Create your own override file:

nano /etc/fail2ban/jail.local

Here's a solid starting configuration:

[DEFAULT]
# Your server's static IP — this prevents you from accidentally banning yourself.
# If you don't set this here, comment out ignoreip in jail.conf instead.
ignoreip = 57.66.158.131

[ssh]
# If within 1 hour...
findtime  = 3600
# ...there are 6 failed login attempts...
maxretry  = 6
# ...ban that IP for 24 hours.
bantime   = 86400

Why you should change ignoreip: the default value of 127.0.0.1/8 is a security gap on shared servers. If an attacker compromises any shell account on the machine, they can run a brute-force tool locally — and Fail2ban will happily ignore it because the traffic looks like it's coming from localhost.

Why you should increase findtime: botnets running "slow brute-force" attacks are specifically designed to beat the default 10-minute window. With maxretry = 6, an attacker can try 5 passwords, wait 10 minutes, try 5 more, and repeat indefinitely without ever getting banned. Raising findtime to an hour or more closes that gap.

Restarting Fail2ban

Once your configuration is in place, restart the service:

service fail2ban restart

Help

If you have any questions or need assistance, please contact us through the ticket system — we're always here to help!

Need help?Our engineers will help you free of charge with any question in minutesContact us