HomeHow ToHow To Install Fail2Ban...

How To Install Fail2Ban on Ubuntu 24.04.2 LTS

Introduction

Any service that is exposed to the Internet is at risk of malware attacks. For example, if you are running a service on a publicly available network, attackers can use brute-force attempts to sign in to your account.

Fail2ban is a tool that helps protect your Linux machine from brute-force and other automated attacks by monitoring the services logs for malicious activity. It uses regular expressions to scan log files. All entries matching the patterns are counted, and when their number reaches a certain predefined threshold, Fail2ban bans the offending IP using the system firewall for a specific length of time. When the ban period expires, the IP address is removed from the ban list.

This article describes how to install and configure Fail2ban on Ubuntu 24.04.2 LTS.

Prerequisites

To complete this guide, you will need:

  • An Ubuntu 24.04.2 LTS server and a non-root user with sudo privileges. You can learn more about how to set up a user with these privileges in our Initial Server Setup with Ubuntu 24.04.2 LTS guide.
  • Optionally, a second server that you can connect to your first server from, which you will use to test getting deliberately banned.

Step 1 — Installing Fail2ban

Fail2ban is available in Ubuntu’s software repositories. Begin by running the following commands as a non-root user to update your package listings and install Fail2ban:

sudo apt update
sudo apt install fail2ban

Fail2ban will automatically set up a background service after being installed. However, it is disabled by default, because some of its default settings may cause undesired effects. You can verify this by using the systemctl command:

systemctl status fail2ban.service
fail2ban.service - Fail2Ban Service
     Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; enabled; preset:>
     Active: active (running) since Wed 2025-06-18 19:00:51 UTC; 7min ago
       Docs: man:fail2ban(1)
   Main PID: 511807 (fail2ban-server)
      Tasks: 11 (limit: 3460)
     Memory: 21.3M (peak: 23.6M)
        CPU: 1.579s
     CGroup: /system.slice/fail2ban.service
             └─511807 /usr/bin/python3 /usr/bin/fail2ban-server -xf start

You could enable Fail2ban right away, but first, you’ll review some of its features.

Configuring Fail2ban on Ubuntu 24.04.2 LTS

The /etc/fail2ban directory is the primary location for Fail2Ban configuration files and logs. This directory contains several subdirectories and files that are essential for Fail2Ban’s functionality.

Here’s a breakdown of the key components:

  • action.d: This directory contains action scripts that Fail2Ban uses to ban IP addresses. These scripts are specific to the firewall or service being used (e.g., iptables, ufw, nftables).
  • filter.d: This directory contains filter configuration files that define how Fail2Ban identifies and bans IP addresses. These filters are specific to the service being monitored (e.g., SSH, HTTP, FTP).
  • jail.d: This directory contains jail configuration files that define the specific services Fail2Ban monitors and the rules for banning IP addresses.
  • paths-arch.conf, paths-common.conf, paths-debian.conf, paths-opensuse.conf: These files contain paths specific to different Linux distributions.
  • fail2ban.conf: This is the main configuration file for Fail2Ban, which contains global settings and options.
  • jail.conf: This file contains the default jail configurations for various services.
  • jail.local: This file is used to override the default jail configurations. It is recommended to create a jail.local file to ease upgrades and make customizations.
  • fail2ban.log: This is the main log file for Fail2Ban, where it records its actions and events.

Fail2ban comes with default configuration files that you can customize according to your needs. The main configuration file is located at /etc/fail2ban/jail.conf.

However, it is recommended to create a local copy (/etc/fail2ban/jail.local) to prevent your changes from being overwritten during updates.

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Open the local configuration file in a nano text editor.

sudo nano /etc/fail2ban/jail.local

In the configuration file, locate the [ssh] section and uncomment the lines and modify values to adjust Fail2ban’s behavior as shown.

  • maxretry: This defines the maximum number of failed login attempts before an IP address is banned.
  • findtime: This sets the time window within which the maxretry attempts must occur to trigger a ban.
  • bantime: This defines the duration for which an IP address is banned after exceeding the maxretry attempt.

Example configuration (modify as needed):

iptables -S | grep f2b

Fail2ban Jails

Fail2ban uses a concept of jails. A jail describes a service and includes filters and actions. Log entries matching the search pattern are counted, and when a predefined condition is met, the corresponding actions are executed.

Fail2ban ships with a number of jail for different services. You can also create your own jail configurations.

By default, only the ssh jail is enabled. To enable a jail, you need to add enabled = true after the jail title. The following example shows how to enable the proftpd jail:

/etc/fail2ban/jail.local

[proftpd]
enabled  = true
port     = ftp,ftp-data,ftps,ftps-data
logpath  = %(proftpd_log)s
backend  = %(proftpd_backend)s

The settings we discussed in the previous section, can be set per jail. Here is an example:

/etc/fail2ban/jail.local

[sshd]
enabled   = true
maxretry  = 3
findtime  = 1d
bantime   = 4w
ignoreip  = 127.0.0.1/8 192.168.1.100

The filters are located in the /etc/fail2ban/filter.d directory, stored in a file with the same name as the jail. If you have a custom setup and experience with regular expressions, you can fine-tune the filters.

Each time you edit a configuration file, you need to restart the Fail2ban service for changes to take effect:

Restarting Fail2ban

After making changes, restart Fail2ban to apply the new settings:

sudo systemctl restart fail2ban

You can check the status of Fail2ban to ensure it’s running correctly:

sudo systemctl status fail2ban

Step 6: Monitoring Fail2ban

To see which IP addresses are currently banned, use the following command:

sudo fail2ban-client status sshd

fail2ban-client status sshd
Status for the jail: sshd
|- Filter
| |- Currently failed: 0
| |- Total failed: 0
| - Journal matches: _SYSTEMD_UNIT=sshd.service + _COMM=sshd – Actions
|- Currently banned: 0
|- Total banned: 0
`- Banned IP list:

If you need to unban the IP address, use the following command.

sudo fail2ban-client set sshd unbanip 101.132.193.192

Ban an IP:

sudo fail2ban-client set sshd banip 218.202.219.223

Test to Brute-Force via SSH

To test if multiple SSH attempts (or brute-force attacks) are being blocked, use your local IP address (found with the ip addr show command) and, from your local network (or the same system, which is perfectly fine), attempt to log in multiple times to the system with Fail2Ban configured until the limit is reached.

During or after the failed login attempts, you can monitor the Fail2Ban logs to see if the IP address has been banned.

$ sudo tail -f /var/log/fail2ban.log
2025-06-18 20:01:45,745 fail2ban.filter [2751]: INFO [sshd] Found 103.194.88.65 - 2025-06-18 20:01:45
2025-06-18 20:02:23,994 fail2ban.filter [2751]: INFO [sshd] Found 218.202.219.223 - 2025-06-18 20:02:23
2025-06-18 20:02:26,244 fail2ban.filter [2751]: INFO [sshd] Found 218.202.219.223 - 2025-06-18 20:02:25
2025-06-18 20:02:32,995 fail2ban.filter [2751]: INFO [sshd] Found 99.249.80.59 - 2025-06-18 20:02:32
2025-06-18 20:02:33,494 fail2ban.filter [2751]: INFO [sshd] Found 85.122.56.15 - 2025-06-18 20:02:33
2025-06-18 20:02:34,994 fail2ban.filter [2751]: INFO [sshd] Found 99.249.80.59 - 2025-06-18 20:02:34
2025-06-18 20:02:35,495 fail2ban.filter [2751]: INFO [sshd] Found 85.122.56.15 - 2025-06-18 20:02:35
2025-06-18 20:03:11,495 fail2ban.filter [2751]: INFO [sshd] Found 203.252.10.3 - 2025-06-18 20:03:11
2025-06-18 20:03:13,244 fail2ban.filter [2751]: INFO [sshd] Found 203.252.10.3 - 2025-06-18 20:03:12
2025-06-18 20:05:27,244 fail2ban.filter [2751]: INFO [sshd] Found 183.238.65.117 - 2025-06-18 20:05:26
2025-06-18 20:05:28,995 fail2ban.filter [2751]: INFO [sshd] Found 183.238.65.117 - 2025-06-18 20:05:28
2025-06-18 20:06:11,994 fail2ban.filter [2751]: INFO [sshd] Found 77.90.185.94 - 2025-06-18 20:06:11
Conclusion

Fail2ban is a powerful tool to protect your Ubuntu 24.04.2 LTS server from brute-force attacks. By following the steps outlined in this guide, you can install, configure, and use Fail2ban to significantly reduce the risk of unauthorized access to your server, ensuring a more secure environment for your data and applications.

- A word from our sponsors -

spot_img

Most Popular

More from Author

How To Install aaPanel on Ubuntu Ubuntu 22.04.5 LTS

Managing a server can be a daunting task, especially for those...

How to Install Webmin on Debian 12

Introduction Are you searching for a step-by-step guide to install Webmin on...

How To Install ISPConfig Control Panel on Ubuntu 22.04

The main task of a Linux system administrator revolves around monitoring...

Installing Let’s Encrypt Free SSL Certificate on iRedMail

In our previous guides, we saw how one can install and...

- A word from our sponsors -

spot_img

Read Now

How To Install aaPanel on Ubuntu Ubuntu 22.04.5 LTS

Managing a server can be a daunting task, especially for those who are not well-versed in command-line interfaces. Fortunately, control panels like aaPanel simplify this process significantly. This article provides a comprehensive guide on how to install aaPanel on Ubuntu 24.04 LTS, ensuring you have a powerful...

How to Install Webmin on Debian 12

Introduction Are you searching for a step-by-step guide to install Webmin on Debian 12? This simple tutorial is for you! Webmin is a free, open-source web-based control panel that simplifies Linux server management right from your browser. Its intuitive dashboard lets you handle various configurations, including user accounts, disk...

How To Install ISPConfig Control Panel on Ubuntu 22.04

The main task of a Linux system administrator revolves around monitoring the Linux system hardware and software, performing installations and upgrades while maintaining all the essential services and applications. In many scenarios, these activities are executed via the command line. This is mainly because the command line(server...

Installing Let’s Encrypt Free SSL Certificate on iRedMail

In our previous guides, we saw how one can install and configure iRedMail Server. The default installation of iRedMail generates and install a self-signed SSL certificate for Mails services – POP3/IMAP/SMTP over TLS and for HTTPS access to webmail services. When using a self-signed certificate, you’ll often get...

APT sources.list entries for every Debian release

/etc/apt/sources.list entries for every Debian release since Wheezy, including archived releases Debian uses APT as package installation and update manager. This also applies to a distribution (release) upgrade. Usually not much changes in the APT configuration, except the code name. But sometimes, the /etc/apt/sources.list file needs some adjustments...

Debian / Ubuntu Linux restart network interface

In this article, we will see How to restart Network Interface in Debian and Ubuntu. We can restart the networking service in Linux using various command. Use the following commands as per your Linux distribution to restart the networking service. You must run the command as root...

Install iRedMail on Debian 12

What is iRedMail? iRedMail is a shell script that automatically installs and configures all necessary mail server components on your Linux/BSD server, thus eliminating manual installation and configuration. With iRedMail, you can easily create unlimited mailboxes and unlimited mail domains in a web-based admin panel. Mailboxes can be...

VirtualBox : Advanced Features and Practical Use

When using a traditional you need to install the operating system on a physical machine for evaluating software that cannot be installed on your current operating system. Oracle VirtualBox is what you need in this case, instead of reinstalling software on your physical machine. VirtualBox is designed...

Configuring a Static IP address on your Ubuntu (24.04, 24.10+) Server

To configure a static IP address on Ubuntu Server 24.10, follow these simple steps. Step 1 : Update and Install net-tools First, update your server and install the net-tools package, which includes essential networking utilities like ifconfig. sudo apt update sudo apt install net-tools Step 2 : Check Ethernet Interfaces Use the ifconfig...

Parrot virtualbox install and erorrs kernel

Option 1: Blacklist Many distros use a module blacklist to disallow module loading. Normally this can be done by adding these lines to your distro's modules.conf or similar. You might try reading man modules.conf or googling for directions for your specific distribution. blacklist kvm_intel blacklist kvm Option 2: Unload An alternative is...