What this is
Fail2ban is a security tool that watches logs (like SSH login attempts) and automatically bans IPs that behave like attackers.
What it is for
- Reduce brute-force attacks against SSH
- Automatically ban suspicious IP addresses
- Improve server security with minimal configuration
Prerequisites
- SSH access
- Sudo privileges
- A firewall installed (UFW or firewalld) is recommended
Step-by-step
Step 1) Install Fail2ban
Ubuntu/Debian:
sudo apt update
sudo apt install -y fail2banRHEL/Rocky/Alma:
sudo dnf install -y fail2ban
sudo systemctl enable --now fail2banStep 2) Check service status
sudo systemctl status fail2ban --no-pagerExpected output: Active/running.
Step 3) Create a local configuration (safe method)
Command:
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.localWhy: You should not edit jail.conf directly; upgrades can overwrite it.
Step 4) Enable SSH protection (sshd jail)
Edit jail.local:
sudo nano /etc/fail2ban/jail.localFind the [sshd] section and set:
[sshd]
enabled = true
port = ssh
maxretry = 5
findtime = 10m
bantime = 1hWhat this means: 5 failed attempts in 10 minutes = ban for 1 hour.
Step 5) Restart Fail2ban
sudo systemctl restart fail2banStep 6) Verify the jail is active
sudo fail2ban-client statusExpected output: A list of jails, including sshd.
Check SSH jail details:
sudo fail2ban-client status sshdExpected output: Current/total failed attempts and banned IPs.
Warnings & useful notes
- Do not test bans from your own IP if you are not comfortable unbanning yourself.
- If you changed SSH port, update
portaccordingly (example:port = 2222). - Fail2ban is not a replacement for SSH keys and firewall rules; it is an additional layer.
Final verification
sudo fail2ban-client ping
sudo fail2ban-client status sshdExpected output: Server replied: pong and active SSH jail status.
Conclusion
Fail2ban is now protecting your SSH service by banning suspicious IPs. Keep logs monitored and combine with SSH keys and firewall hardening.