try.directtry.direct

Dashboard

/

Home

/

Blog

/

Fail2Ban: Block SSH Brute Force Attacks - Try.Direct Blog

Fail2Ban: Block SSH Brute Force Attacks - Try.Direct Blog

By TryDirect

← Back to Articles

Fail2Ban: Block SSH Brute Force Attacks

Author
Paulina B
Published
April 17, 2026

What Is Fail2Ban?

Fail2Ban is an intrusion prevention framework that monitors logs for suspicious activity and automatically bans attacking IP addresses. It's essential for protecting SSH services from automated brute-force attacks. When Fail2Ban detects repeated failed login attempts, it temporarily blocks the attacker's IP address at the firewall level, preventing further attack attempts.

Quick Answer

Fail2Ban automatically blocks IPs after repeated failed login attempts. Install: sudo apt install fail2ban. Create /etc/fail2ban/jail.local with jail configs (sshd: 3 failures in 5 mins = 30min ban). Restart: sudo systemctl restart fail2ban. Monitor: sudo fail2ban-client status sshd.

Installation on Ubuntu 24.04 & Debian 12

Step-by-Step Setup

Step 1: Update package lists

sudo apt update

Step 2: Install Fail2Ban and systemd integration

sudo apt install -y fail2ban fail2ban-systemd

Step 3: Verify installation

fail2ban-client --version

Step 4: Start the service

sudo systemctl start fail2ban

Step 5: Enable on system boot

sudo systemctl enable fail2ban

Configuration

Fail2Ban uses configuration files in /etc/fail2ban/. The main configuration is in jail.conf, but never edit this directly. Instead, create a jail.local file with your custom settings:

sudo nano /etc/fail2ban/jail.local

Basic Configuration Example

[DEFAULT]
# Global settings
bantime = 1800        # Ban for 30 minutes
findtime = 300        # Check last 5 minutes
maxretry = 3          # Ban after 3 failures

[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3

[recidivism]
enabled = true
filter = recidivism
action = iptables-multiport[name=Recidivism, port="ssh,http,https"]
logpath = /var/log/fail2ban.log
bantime = 86400       # Repeat offenders get 24-hour ban
findtime = 86400
maxretry = 2

Configuration Parameters Explained

  • bantime: Duration (in seconds) to ban an IP. Set to -1 for permanent ban
  • findtime: Time window (in seconds) to look for failures
  • maxretry: Number of failures before ban is triggered
  • enabled: Whether this jail is active
  • port: Service port to monitor (ssh, http, etc.)
  • filter: Log parsing rules to use
  • logpath: Log file to monitor

Whitelisting IP Addresses

Add trusted IPs that should never be banned. Edit /etc/fail2ban/jail.local:

[DEFAULT]
ignoreip = 127.0.0.1/8 ::1 192.0.2.50 203.0.113.0/24

[sshd]
enabled = true
# ... rest of sshd configuration

Understanding IP Ranges

  • 127.0.0.1/8 - Localhost and local network
  • ::1 - IPv6 localhost
  • 192.0.2.50 - Single IP address (your office)
  • 203.0.113.0/24 - CIDR notation for a subnet (256 IPs)

Verify whitelisted IPs:

sudo fail2ban-client get sshd ignoreip

Monitoring and Management

Check jail status

sudo fail2ban-client status sshd

View currently banned IPs

sudo fail2ban-client get sshd banlist

View all jails

sudo fail2ban-client status

Unban an IP manually

sudo fail2ban-client set sshd unbanip 203.0.113.100

View live logs

sudo tail -f /var/log/fail2ban.log

Restart Fail2Ban After Configuration Changes

After editing jail.local, restart the service:

sudo systemctl restart fail2ban

Verify the changes took effect:

sudo fail2ban-client status sshd | grep "Max retry"

Advanced: Custom SSH Port

If you're running SSH on a non-standard port (e.g., 2222), update the configuration:

[sshd]
enabled = true
port = 2222
filter = sshd
logpath = /var/log/auth.log
maxretry = 3

Best Practices for 2026

  • Set reasonable ban times: 30 minutes for casual attempts, 24 hours for repeat offenders
  • Use low maxretry: 3 failed attempts is standard; consider 2 for high-security environments
  • Whitelist trusted networks: Add office, VPN, and admin IPs to ignoreip
  • Monitor logs regularly: Watch for patterns of attacks
  • Combine with other security: SSH keys, key-only auth, change default port
  • Enable recidivism jail: Harder penalties for repeat attackers
  • Review jails regularly: Ensure all jails are properly configured

Integration with SSH Key Authentication

For maximum security, use SSH keys AND Fail2Ban together:

# /etc/ssh/sshd_config
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
MaxAuthTries 3

# Combined with Fail2Ban in jail.local
[sshd]
maxretry = 3

Troubleshooting

Jail not starting

sudo fail2ban-client status
sudo systemctl status fail2ban
sudo journalctl -u fail2ban -n 20

Check filter parsing

sudo fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/sshd.conf

Test configuration file syntax

sudo fail2ban-client -d

Verify log path exists

ls -l /var/log/auth.log

Fail2Ban

SSH brute force protection

IP whitelisting

Server security