Fail2ban watches service logs and temporarily bans IPs that behave abusively (repeated SSH failures, HTTP probing, etc.). It complements UFW and SSH hardening.
Prerequisites
- Ubuntu/Debian (or derivative) with
sudo - The service to protect already running (e.g.
sshd,nginx)
Installation
Bashsudo apt update && sudo apt install -y fail2ban sudo systemctl enable fail2ban sudo systemctl start fail2ban
Basic configuration
Place custom files under /etc/fail2ban/jail.d/ so updates do not overwrite them.
Create /etc/fail2ban/jail.d/local.conf:
INI1[DEFAULT] 2bantime = 1h 3findtime = 10m 4maxretry = 5 5ignoreip = 127.0.0.1/8 ::1 6 7[sshd] 8enabled = true 9port = ssh 10logpath = %(sshd_log)s 11backend = %(sshd_backend)s
If you changed the SSH port, set port = 2222 (example) instead of ssh.
Reload Fail2ban:
Bashsudo systemctl restart fail2ban sudo fail2ban-client status sudo fail2ban-client status sshd
Nginx (aggressive HTTP patterns)
Add for example:
INI[nginx-http-auth] enabled = true port = http,https logpath = /var/log/nginx/error.log
Adjust log paths to your setup.
Best practices
- Add your static IP to
ignoreipwhile testing. - Check
sudo fail2ban-client status sshdafter deployment. - Bans are temporary (
bantime); tune to your tolerance.
Unban an IP manually
Bashsudo fail2ban-client set sshd unbanip 198.51.100.10
Troubleshooting
- No bans: ensure
enabled = true, correctlogpath, and the service logs failures. - Locked out: use your provider’s console / IPMI or another IP, then fix
ignoreipor unban.