How to Setup Fail2ban on Ubuntu Linux
Fail2ban protects your Ubuntu Linux server from brute-force attacks by automatically blocking suspicious IP addresses.
This security tool monitors server log files, like those for SSH, for repeated failed login attempts. When it detects a pattern of malicious activity from a specific IP, Fail2ban instructs your firewall (typically iptables or nftables) to temporarily ban that IP address.
Implementing Fail2ban for your Ubuntu server means you significantly reduce the risk of unauthorized access. You gain an automated defense system that actively shields your machine from common online threats, enhancing overall system security without constant manual oversight.
Install Fail2ban using `sudo apt update` and `sudo apt install fail2ban`. Then, copy the default configuration to `jail.local` with `sudo cp /etc/fail2ban/jail.{conf,local}` and edit it using `sudo nano /etc/fail2ban/jail.local` to set your whitelist and ban parameters. Restart the service with `sudo systemctl restart fail2ban`.
Install Fail2ban
Installing Fail2ban on Ubuntu is simple using the command line; you’ll update your package list and then install the software with just a couple of commands.
Mar 11 15:26:00 ubuntu2004 systemd: Starting Fail2Ban Service.
Mar 11 15:26:00 ubuntu2004 systemd: Started Fail2Ban Service.
Configure Fail2ban
Setting up Fail2ban involves creating a local configuration file named jail.local, which lets you make custom changes without affecting the main settings.
Run this command to create your local configuration file (requires admin privileges):
sudo cp /etc/fail2ban/jail.{conf,local}Now, open the file to start editing (requires admin privileges):
sudo nano /etc/fail2ban/jail.local
First, you should add your own IP address to the “whitelist” so you never accidentally lock yourself out. Look for the line to ignore IPs and update it:
ignoreip = 127.0.0.1/8 ::1 10.16.34.67 172.16.1.0/24
Next, adjust how strict your security is by changing these three settings:
- Bantime: How long the IP is blocked (default is 10 minutes).
Code
#"bantime" is the number of seconds that a host is banned. bantime = 10m - Findtime: The window of time to count failed attempts.
Code
#A host is banned if it has generated "maxretry" during the last "findtime" #seconds. findtime = 10m - Maxretry: How many failed tries are allowed before the ban happens.
Code
#"maxretry" is the number of failures before a host get banned. maxretry = 5
Set Up Jails
Fail2ban uses ‘jails’ to watch services like SSH for bad activity, automatically blocking suspicious IP addresses after a set number of failed attempts.
enable = true
bantime = 10m
findtime = 10min
maxretry = 5
port = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s
After you finish making changes, save the file and restart the service so the new settings take effect (requires admin privileges):
sudo systemctl restart fail2ban
Managing Fail2ban
You can manage Fail2ban’s security using the fail2ban-client tool in your terminal to check banned IPs, unban addresses, or even ban them manually.
Summary
Fail2ban is a valuable tool for automatically protecting your Ubuntu Linux server from attacks by blocking suspicious IPs.
[1]
[1]
[sshd]
Was this guide helpful?
About the Author
Richard
Tech Writer, IT Professional
Richard, a writer for Geek Rewind, is a tech enthusiast who loves breaking down complex IT topics into simple, easy-to-understand ideas. With years of hands-on experience in system administration and enterprise IT operations, he’s developed a knack for offering practical tips and solutions. Richard aims to make technology more accessible and actionable. He's deeply committed to the Geek Rewind community, always ready to answer questions and engage in discussions.
No comments yet — be the first to share your thoughts!