How to use and install fail2ban


In this article you will learn how to use and install fail2ban under Linux / UNIX environments.


As of this article we are using Debian based operating system Ubuntu 12.04 LTS.

Note: This works under Ubuntu 10.04 LTS, Ubuntu 13, CentOS / RHEL / Redhat Enterprise Linux, Debian 6 and Debian 7.


Why compromised security?

Most often dedicated servers, VPS, Cloud VMs or hosts are not entirely secure. This compromised security is due to basic SSH configuration, services like FTP Server, and HTTP server running. In short, there can be many malicious exploits, cracking and brute force attack to compromise the service running.


Fail2ban to the rescue

To reduce potential pitfalls and to block further requests for a defined activity, “Fail2ban” is extremely useful.


Fail2Ban works by scanning log files and acting to the actions defined for either a particular service or any repeated process of constantly trying to login with either “root” or any other user fail login attempts.


It is an intrusion prevention framework. Its main purpose is to block IP addresses of those hosts that are trying to breach the system's security or service.

We recommend every Linux/UNIX system administrator implement “Fail2ban” as it helps harden the server security.


In this article you’ll learn to install Fail2ban in order to secure your SSH service. It can be done for other services as well. It has a very extensive and well documented configuration file.


You either need to run commands as root and ignore sudo in below commands. Or, if you are logged in with your user you should execute commands utilizing sudo.


sudo apt-get update

sudo apt-get upgrade


First command is updating software update repositories and second command is upgrading software packages installed against the updated repositories. This is always good practice before launching into a new install.


Now, to start with we will first install “Fail2Ban” by using the below command:

sudo apt-get install fail2ban


After the installation is complete you’re ready to configure Fail2Ban and its default configuration file.


Edit the file “jail.conf” in the /etc/fail2ban/ directory


sudo vim /etc/fail2ban/jail.conf


There are many services in this file which are already present and by following this article you will secure SSH using Fail2Ban. You can also follow this to secure other services which either are already present or maybe not.


Every section in this file is already configured but it is turned off by default. We can change the settings for the respective services and turn it on with our policy.


There is a section if the file “[DEFAULT]” which defines “ignoreip” which means this is the IP or whole subnet which is whitelisted and will not be blacklisted or blocked.


Configuration file’s block will look something like below:



# "ignoreip" can be an IP address, a CIDR mask or a DNS host

ignoreip =

bantime  = 600

maxretry = 3


# "backend" specifies the backend used to get files modification. Available

# options are "gamin", "polling" and "auto".

# yoh: For some reason Debian shipped python-gamin didn't work as expected

#      This issue left ToDo, so polling is default backend for now

backend = auto



# Destination email address used solely for the interpolations in

# jail.{conf,local} configuration files.

destemail = root@localhost


We had set our IP “” to be whitelisted for any action we make against the server. As such, it will not be blocked.


You can add multiple IPs to it by separating them with a space. To demonstrate this the line for multiple IPs will look like below:

ignoreip =


Blacklist the bad guys

The “bantime” is the time which we want the bad guys to be blocked or blacklisted after the violation of our rules defined.


Default “bantime” is 10 minutes and value needs to be defined in seconds.


“maxrety” is the amount of maximum incorrect login attempts that are allowed. Default value is “3” which is usually sufficient and fair.


You may leave the directive “backend” to auto.

“destemail” is the email address that will be used to send the alert of the violation along with the IP that was blacklisted.


If you want to set your own “MTA” to sending emails you can see under the section “ACTIONS”


mta = sendmail


Default is sendmail which Fail2ban will use to send alerts for the violated action and blacklisted IP.


Now, if we move down the config file of Fail2ban we will find a section called “[ssh]” which we will be using to secure our SSH server.


It will look like the following:



enabled  = true

port     = ssh

filter   = sshd

logpath  = /var/log/auth.log

maxretry = 6


“enabled” block simply refers to that this violation is either enabled or disabled. “true” for enabling it and “false” to disable it.


“port” block defines that default port of SSH which is “22” however if you have a customized port you can change the port block as below for example:

port     = 11999


This means our SSH server is running on port 11999


“filter” block means the rules that fail2ban file is containing for the particular service you can find it under “/etc/fail2ban/filter.d” directory and since we are using SSH so the file is “sshd.conf”.


“logpath” block refers to the log file which fail2ban will scan and take necessary action against it.


“maxretry” block refers to the maximum login tries or failed login attempts you may change this to “3” which is fair enough.


Great, we have configured Fail2ban for our SSH server and now it’s time to restart Fail2ban service for the changes to take effect.


sudo service fail2ban restart


To view if an IP has blocked or black listed we can use below command:


sudo iptables -L –n


Banned IPs for SSH by Fail2ban look like below:


Chain fail2ban-ssh (1 references)


target     prot opt source               destination        


DROP       all  --          


RETURN     all  --  


If you want to remove an IP address from the banned SSH list running above command, we need to run below command to delete it:


sudo iptables -D fail2ban-ssh -s -j DROP


In our case the bad guy was “”. With the last command we have deleted “ from the blocked state and blacklist.

This article has been provided by Codero Hosting, the leading provider of reliable dedicated, managed and cloud hosting services. Need more information on this topic or to learn more about Codero’s hosting services please visit 
www.codero.comchat with us online or give us a call at 866-2-CODERO. 

Posted in
Last update:
2015-12-03 20:39
Average rating:0 (0 Votes)