Fail2ban
Block IP addresses after repeated failed authentication attempts.
Installation
sudo apt install fail2ban
sudo systemctl start fail2ban
sudo systemctl enable fail2ban
sudo systemctl status fail2ban
Configuration
The default config files are /etc/fail2ban/fail2ban.conf and /etc/fail2ban/jail.conf.
Do not edit these directly - they get overwritten on updates. Use local overrides instead.
/etc/fail2ban/jail.d/jail.local
[DEFAULT]
bantime = 24h # duration of the ban
findtime = 10m # time window to count failures
maxretry = 3 # number of failures before ban
ignoreip = 127.0.0.1/8 ::1 # never ban these IPs (add your own IP here)
# SSH jail (enabled by default on most systems)
[sshd]
enabled = true
port = ssh # or custom port, e.g. 2222
findtime+maxretry: if an IP failsmaxretrytimes withinfindtime, it gets banned forbantime.
Useful Commands
# Reload config after changes
sudo systemctl reload fail2ban
# List active jails
sudo fail2ban-client status
# Status of a specific jail (e.g. sshd)
sudo fail2ban-client status sshd
# Unban an IP
sudo fail2ban-client set sshd unbanip <IP>
# Ban an IP manually
sudo fail2ban-client set sshd banip <IP>
# Live logs
sudo tail -f /var/log/fail2ban.log
How It Works
- Fail2ban watches log files (e.g.
/var/log/auth.logfor SSH). - It matches lines against filters (regex patterns).
- When an IP hits
maxretryfailures withinfindtime, it triggers an action (usually aniptablesrule to block the IP). - The ban is lifted automatically after
bantime.