🛡️ Fail2ban SSH Protection Setup

Automatically block IP addresses that repeatedly fail SSH authentication attempts

🔒 Security ⏱️ 10 minutes 📊 Beginner 👤 Security Team

Prerequisites

Ubuntu/Debian Linux system with sudo access
SSH service running and accessible
Basic understanding of systemd services
Access to system logs and configuration files

Setup Progress

Install Fail2ban

Install the Fail2ban package from the official Ubuntu/Debian repositories. This intrusion prevention system monitors log files and bans IPs that show malicious signs.

sudo apt update sudo apt install -y fail2ban

ℹ️

Installation Notes

The package includes default configuration files and systemd service definitions. Fail2ban will be installed but not yet configured for your specific needs.

Step 1 completed - Fail2ban installed

Create the Jail Configuration

Create a local configuration file that overrides the default settings. Never edit the main jail.conf file directly as it gets overwritten during updates.

sudo tee /etc/fail2ban/jail.local >/dev/null <<'INI' [sshd] enabled = true port = ssh logpath = %(sshd_log)s backend = systemd maxretry = 5 bantime = 3600 findtime = 600 INI

Configuration Explanation:

enabled = true → Activates the SSH jail protection
port = ssh → Monitors your SSH port (default 22)
logpath = %(sshd_log)s → Uses systemd journal for SSH logs
backend = systemd → Use systemd journal as log source
maxretry = 5 → Ban IP after 5 failed attempts
bantime = 3600 → Ban IP for 1 hour (3600 seconds)
findtime = 600 → Count failures within 10 minutes (600 seconds)

Step 2 completed - Jail configuration created

Start and Enable the Service

Enable Fail2ban to start automatically on boot and start the service immediately to begin protecting your system.

sudo systemctl enable --now fail2ban

✅

Service Enabled

The --now flag both enables the service for boot and starts it immediately. Fail2ban is now monitoring your SSH logs.

Step 3 completed - Service enabled and started

Restart to Apply Configuration

Restart the Fail2ban service to apply your custom jail configuration. This ensures your SSH protection settings are active.

sudo systemctl restart fail2ban

⚠️

Configuration Reload

Always restart Fail2ban after making configuration changes to ensure the new settings take effect.

Step 4 completed - Configuration applied

Check Service Status

Verify that Fail2ban is running correctly and has loaded your configuration without errors.

sudo systemctl status fail2ban --no-pager

👀

Expected Output

Look for Active: active (running) and no error messages in the status output.

Step 5 completed - Service status verified

Verify Active Jails

Check that your SSH jail is active and monitoring for intrusion attempts. This confirms your protection is working.

sudo fail2ban-client status

# Expected output: Status |- Number of jail: 1 `- Jail list: sshd

For detailed information about the SSH jail status:

sudo fail2ban-client status sshd

📊

Jail Details

The detailed status shows currently banned IPs, total bans, and filter statistics for the SSH jail.

Step 6 completed - Jails verified and active

✓

Protection Active

Your server is now protected by Fail2ban. The system will automatically monitor SSH logs and ban IP addresses that exceed the failed login threshold.

🛡️

Security Active

Fail2ban is now watching SSH logs and will ban IPs that fail login attempts more than 5 times within 10 minutes. Banned IPs will be blocked for 1 hour.

Useful Commands for Monitoring:

sudo fail2ban-client status → List all active jails
sudo fail2ban-client status sshd → Detailed SSH jail status
sudo fail2ban-client unban <IP> → Manually unban an IP address
sudo journalctl -u fail2ban -f → Watch Fail2ban logs in real-time
sudo fail2ban-client reload → Reload configuration without restart