Fail2Ban Configuration

Fail2Ban Configuration

Fail2Ban monitors log files for failed authentication attempts and automatically bans IP addresses that show signs of brute-force activity. It is particularly effective against SSH brute-force attacks, which hit every internet-facing server constantly. Fail2Ban is not a replacement for disabling password authentication, but it is a valuable layer of defense against automated attacks and reduces noise in your logs.

How Fail2Ban works

Log file          Filter (regex)         Jail config
/var/log/auth.log → matches "Failed pass" → maxretry=5, bantime=1h
                                            ↓
                                    5 failures from 1.2.3.4 in 10min
                                            ↓
                              iptables/nftables rule: DROP from 1.2.3.4
                                            ↓
                                    Ban expires → IP unblocked

Installing and enabling

sudo apt install -y fail2ban

# IMPORTANT: Never edit /etc/fail2ban/jail.conf directly
# It gets overwritten on package updates
# Create local overrides in /etc/fail2ban/jail.local

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo nano /etc/fail2ban/jail.local

sudo systemctl enable --now fail2ban
sudo systemctl status fail2ban

Configuring jails

/etc/fail2ban/jail.local — key settings in [DEFAULT] and [sshd]

[DEFAULT]
bantime  = 1h           # Ban duration (use -1 for permanent)
findtime = 10m          # Time window for counting failures
maxretry = 5            # Failures before ban
backend  = systemd      # Use journald (recommended on Ubuntu)
ignoreip = 127.0.0.1/8 ::1 192.168.1.0/24   # Never ban these IPs

[sshd]
enabled  = true
port     = ssh           # or: 22,2222 if using custom port
filter   = sshd          # Use the pre-built sshd filter
logpath  = %(sshd_log)s  # Auto-detected from journald
maxretry = 3             # Stricter for SSH: 3 attempts
bantime  = 24h           # 24-hour ban for SSH attackers

sudo systemctl reload fail2ban

Monitoring bans and unblocking

# View status of all jails
sudo fail2ban-client status

# View specific jail status (banned IPs, total bans)
sudo fail2ban-client status sshd

fail2ban-client status sshd output

Status for the jail: sshd
|- Filter
|  |- Currently failed: 2
|  |- Total failed: 847
|  `- Journal matches:  _SYSTEMD_UNIT=sshd.service + _COMM=sshd
`- Actions
   |- Currently banned: 3
   |- Total banned: 156
   `- Banned IP list: 185.220.101.1 91.134.166.20 43.153.55.10

# Unban an IP (e.g., if you accidentally locked yourself out)
sudo fail2ban-client set sshd unbanip 192.168.1.100

# Check fail2ban logs
sudo journalctl -u fail2ban -f

# Test a filter against a log file
sudo fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/sshd.conf

Writing custom jails

# Protect nginx from HTTP login brute force
# /etc/fail2ban/jail.local:
[nginx-http-auth]
enabled  = true
port     = http,https
filter   = nginx-http-auth    # Pre-existing filter
logpath  = /var/log/nginx/error.log
maxretry = 5
bantime  = 30m

# Protect any custom application log:
# Create filter /etc/fail2ban/filter.d/myapp.conf:
[Definition]
failregex = ^.*Failed login for .* from .*$
ignoreregex =

# Then create jail:
[myapp]
enabled = true
logpath = /var/log/myapp/auth.log
filter  = myapp
maxretry = 10

Conclusion

Fail2Ban requires three elements to work: a log path, a filter (regex to detect failures), and a jail (when/how long to ban). The default sshd jail protects against SSH brute force out of the box — just enable it and set appropriate bantime and maxretry. Always add your management IP to ignoreip before tightening settings. Monitor with fail2ban-client status sshd and use fail2ban-client set sshd unbanip to quickly unblock a legitimate IP that was accidentally banned.