In this article, we have explained how to install and configure Fail2Ban for Linux SSH security.
Fail2Ban is a powerful tool that helps protect your server by automatically detecting and blocking IP addresses after repeated failed login attempts. It monitors system log files for suspicious activity, such as brute-force attacks, and responds by actively updating firewall rules to prevent further access from malicious sources. This significantly reduces the risk of unauthorised access to services like SSH and enhances the overall security of your Linux server.
Follow the guide:
- Update your system packages before installing with the subsequent command:
sudo apt update sudo apt upgrade
- Now, install Fail2Ban on Debian/Ubuntu systems:
sudo apt install fail2ban
- Avoid editing the default configuration directly. Instead, create a copy to make changes safely:
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
This custom jail.local file will override the default settings in jail.conf and ensure your changes are preserved during package updates.
- Enable SSH Protection in Fail2Ban:
- Open the local configuration file for editing:
sudo nano /etc/fail2ban/jail.local
- Add or update the following [sshd] section to enable SSH protection:
[sshd] enabled = true port = ssh filter = sshd logpath = /var/log/auth.log maxretry = 3 findtime = 600 bantime = 3600
This configuration instructs Fail2Ban to monitor SSH login attempts and ban IP addresses that exceed three failed logins within 10 minutes (600 seconds), blocking them for 1 hour (3600 seconds).
Key Parameters Explained:- enabled: Activates the SSH jail
- port: SSH port (usually 22)
- filter: Defines which log entries to watch (uses sshd.conf from filter.d)
- logpath: Log file that Fail2Ban monitors
- maxretry: Number of failed attempts allowed
- findtime: Time window (in seconds) for tracking failures
- bantime: Duration (in seconds) an IP remains banned
- Optional Extras:
You can also add:destemail = [email protected] action = %(action_mwl)s
To receive alerts and customised actions.
- Open the local configuration file for editing:
- Fail2Ban can also protect services like Apache, Nginx, Postfix, and FTP by adding additional jails in the “jail.local” file. Custom filters are stored in:
/etc/fail2ban/filter.d/
Each filter file defines patterns that match suspicious log entries.
- Activate the Fail2Ban service so it starts automatically and begins protecting your system:
sudo systemctl enable fail2ban sudo systemctl start fail2ban
- To check if Fail2Ban is running and actively protecting your system, use the command:
sudo fail2ban-client status
- To view details specific to the SSH jail, including the number of currently banned IPs and recent activity, run:
sudo fail2ban-client status sshd
- To verify that Fail2Ban is functioning correctly, simulate several failed SSH login attempts from a different machine. After the number of attempts exceeds the limit set by the “maxretry” value, Fail2Ban should automatically ban the IP address. You can confirm that the IP has been blocked by listing the active firewall rules with:
sudo iptables -L
Alternatively, you can also check the status of the SSH jail to see if the IP appears in the list of banned addresses using:
sudo fail2ban-client status sshd
This ensures your configuration is working as expected and actively protecting your server from brute-force attacks.
With Fail2Ban configured, your server is now better protected against brute-force and unauthorised SSH access. Regularly check your logs and jail status to maintain security. If you want any help, feel free to contact our support specialists.
Concerned about server threats? Learn How to check if your Linux server is under a DDOS attack