Introduction
Any service that is exposed to the Internet is at risk of malware attacks. For example, if you are running a service on a publicly available network, attackers can use brute-force attempts to sign in to your account.
Fail2ban is a tool that helps protect your Linux machine from brute-force and other automated attacks by monitoring the services logs for malicious activity. It uses regular expressions to scan log files. All entries matching the patterns are counted, and when their number reaches a certain predefined threshold, Fail2ban bans the offending IP using the system firewall for a specific length of time. When the ban period expires, the IP address is removed from the ban list.
This article describes how to install and configure Fail2ban on Ubuntu 24.04.2 LTS.
Prerequisites
To complete this guide, you will need:
- An Ubuntu 24.04.2 LTS server and a non-root user with sudo privileges. You can learn more about how to set up a user with these privileges in our Initial Server Setup with Ubuntu 24.04.2 LTS guide.
- Optionally, a second server that you can connect to your first server from, which you will use to test getting deliberately banned.
Step 1 — Installing Fail2ban
Fail2ban is available in Ubuntu’s software repositories. Begin by running the following commands as a non-root user to update your package listings and install Fail2ban:
sudo apt update
sudo apt install fail2banFail2ban will automatically set up a background service after being installed. However, it is disabled by default, because some of its default settings may cause undesired effects. You can verify this by using the systemctl command:
systemctl status fail2ban.servicefail2ban.service - Fail2Ban Service
Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; enabled; preset:>
Active: active (running) since Wed 2025-06-18 19:00:51 UTC; 7min ago
Docs: man:fail2ban(1)
Main PID: 511807 (fail2ban-server)
Tasks: 11 (limit: 3460)
Memory: 21.3M (peak: 23.6M)
CPU: 1.579s
CGroup: /system.slice/fail2ban.service
└─511807 /usr/bin/python3 /usr/bin/fail2ban-server -xf startYou could enable Fail2ban right away, but first, you’ll review some of its features.
Configuring Fail2ban on Ubuntu 24.04.2 LTS
The /etc/fail2ban directory is the primary location for Fail2Ban configuration files and logs. This directory contains several subdirectories and files that are essential for Fail2Ban’s functionality.
Here’s a breakdown of the key components:
action.d: This directory contains action scripts that Fail2Ban uses to ban IP addresses. These scripts are specific to the firewall or service being used (e.g.,iptables,ufw,nftables).filter.d: This directory contains filter configuration files that define how Fail2Ban identifies and bans IP addresses. These filters are specific to the service being monitored (e.g.,SSH,HTTP,FTP).jail.d: This directory contains jail configuration files that define the specific services Fail2Ban monitors and the rules for banning IP addresses.paths-arch.conf,paths-common.conf,paths-debian.conf,paths-opensuse.conf: These files contain paths specific to different Linux distributions.fail2ban.conf: This is the main configuration file for Fail2Ban, which contains global settings and options.jail.conf: This file contains the default jail configurations for various services.jail.local: This file is used to override the default jail configurations. It is recommended to create ajail.localfile to ease upgrades and make customizations.fail2ban.log: This is the main log file for Fail2Ban, where it records its actions and events.
Fail2ban comes with default configuration files that you can customize according to your needs. The main configuration file is located at /etc/fail2ban/jail.conf.
However, it is recommended to create a local copy (/etc/fail2ban/jail.local) to prevent your changes from being overwritten during updates.
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Open the local configuration file in a nano text editor.
sudo nano /etc/fail2ban/jail.local
In the configuration file, locate the [ssh] section and uncomment the lines and modify values to adjust Fail2ban’s behavior as shown.
maxretry: This defines the maximum number of failed login attempts before an IP address is banned.findtime: This sets the time window within which the maxretry attempts must occur to trigger a ban.bantime: This defines the duration for which an IP address is banned after exceeding the maxretry attempt.
Example configuration (modify as needed):
iptables -S | grep f2bFail2ban Jails
Fail2ban uses a concept of jails. A jail describes a service and includes filters and actions. Log entries matching the search pattern are counted, and when a predefined condition is met, the corresponding actions are executed.
Fail2ban ships with a number of jail for different services. You can also create your own jail configurations.
By default, only the ssh jail is enabled. To enable a jail, you need to add enabled = true after the jail title. The following example shows how to enable the proftpd jail:
/etc/fail2ban/jail.local
[proftpd]
enabled = true
port = ftp,ftp-data,ftps,ftps-data
logpath = %(proftpd_log)s
backend = %(proftpd_backend)sThe settings we discussed in the previous section, can be set per jail. Here is an example:
/etc/fail2ban/jail.local
[sshd]
enabled = true
maxretry = 3
findtime = 1d
bantime = 4w
ignoreip = 127.0.0.1/8 192.168.1.100The filters are located in the /etc/fail2ban/filter.d directory, stored in a file with the same name as the jail. If you have a custom setup and experience with regular expressions, you can fine-tune the filters.
Each time you edit a configuration file, you need to restart the Fail2ban service for changes to take effect:
Restarting Fail2ban
After making changes, restart Fail2ban to apply the new settings:
sudo systemctl restart fail2banYou can check the status of Fail2ban to ensure it’s running correctly:
sudo systemctl status fail2banStep 6: Monitoring Fail2ban
To see which IP addresses are currently banned, use the following command:
sudo fail2ban-client status sshdfail2ban-client status sshd
Status for the jail: sshd
|- Filter
| |- Currently failed: 0
| |- Total failed: 0
| - Journal matches: _SYSTEMD_UNIT=sshd.service + _COMM=sshd – Actions
|- Currently banned: 0
|- Total banned: 0
`- Banned IP list:
If you need to unban the IP address, use the following command.
sudo fail2ban-client set sshd unbanip 101.132.193.192
Ban an IP:
sudo fail2ban-client set sshd banip 218.202.219.223Test to Brute-Force via SSH
To test if multiple SSH attempts (or brute-force attacks) are being blocked, use your local IP address (found with the ip addr show command) and, from your local network (or the same system, which is perfectly fine), attempt to log in multiple times to the system with Fail2Ban configured until the limit is reached.
During or after the failed login attempts, you can monitor the Fail2Ban logs to see if the IP address has been banned.
$ sudo tail -f /var/log/fail2ban.log2025-06-18 20:01:45,745 fail2ban.filter [2751]: INFO [sshd] Found 103.194.88.65 - 2025-06-18 20:01:45
2025-06-18 20:02:23,994 fail2ban.filter [2751]: INFO [sshd] Found 218.202.219.223 - 2025-06-18 20:02:23
2025-06-18 20:02:26,244 fail2ban.filter [2751]: INFO [sshd] Found 218.202.219.223 - 2025-06-18 20:02:25
2025-06-18 20:02:32,995 fail2ban.filter [2751]: INFO [sshd] Found 99.249.80.59 - 2025-06-18 20:02:32
2025-06-18 20:02:33,494 fail2ban.filter [2751]: INFO [sshd] Found 85.122.56.15 - 2025-06-18 20:02:33
2025-06-18 20:02:34,994 fail2ban.filter [2751]: INFO [sshd] Found 99.249.80.59 - 2025-06-18 20:02:34
2025-06-18 20:02:35,495 fail2ban.filter [2751]: INFO [sshd] Found 85.122.56.15 - 2025-06-18 20:02:35
2025-06-18 20:03:11,495 fail2ban.filter [2751]: INFO [sshd] Found 203.252.10.3 - 2025-06-18 20:03:11
2025-06-18 20:03:13,244 fail2ban.filter [2751]: INFO [sshd] Found 203.252.10.3 - 2025-06-18 20:03:12
2025-06-18 20:05:27,244 fail2ban.filter [2751]: INFO [sshd] Found 183.238.65.117 - 2025-06-18 20:05:26
2025-06-18 20:05:28,995 fail2ban.filter [2751]: INFO [sshd] Found 183.238.65.117 - 2025-06-18 20:05:28
2025-06-18 20:06:11,994 fail2ban.filter [2751]: INFO [sshd] Found 77.90.185.94 - 2025-06-18 20:06:11Conclusion
Fail2ban is a powerful tool to protect your Ubuntu 24.04.2 LTS server from brute-force attacks. By following the steps outlined in this guide, you can install, configure, and use Fail2ban to significantly reduce the risk of unauthorized access to your server, ensuring a more secure environment for your data and applications.
