How to Install and Configure Fail2ban to Protect SSH on Ubuntu Server
Learning how to install and configure Fail2ban to protect SSH on Ubuntu Server is one of the smartest moves you can make for your server security. Every server exposed to the internet faces constant brute-force attacks. Bots scan millions of IP addresses daily, hammering SSH ports with thousands of login attempts. Fail2ban solves this problem automatically. It monitors your log files, detects suspicious activity, and bans offending IP addresses using firewall rules. This tutorial walks you through the complete setup process. You’ll install Fail2ban, create a custom jail configuration, and verify that your server is actively blocking attackers. By the end, your SSH service will have a strong automated defense layer running in the background.
Prerequisites for How to Install and Configure Fail2ban to Protect SSH on Ubuntu Server
Before you begin, make sure you have the following in place.
Required access and software:
– A server running Ubuntu 20.04 or Ubuntu 22.04 LTS
– Root or sudo user access
– SSH access to your server
– Basic familiarity with the Linux command line
Estimated time: 15–20 minutes
You should also confirm that your server’s package list is up to date. Run this command before starting:
sudo apt update && sudo apt upgrade -yCheck your Ubuntu version if you’re unsure:
lsb_release -aYou don’t need any prior experience with Fail2ban. This guide assumes you know how to connect to your server via SSH and run basic commands. If your server uses a non-standard SSH port, note that port number now. You’ll need it later when editing the jail configuration. Make sure UFW or iptables is available on your system, since Fail2ban uses firewall rules to ban IP addresses.
Step-by-Step Guide: How to Install and Configure Fail2ban to Protect SSH on Ubuntu Server
For more strange history, see: How to Build Interactive Wordpress Blocks with the Interactivity Api
Follow these steps carefully to get Fail2ban running on your server.
Step 1: Install Fail2ban
Install Fail2ban from the default Ubuntu repositories.
sudo apt install fail2ban -yOnce the installation finishes, check that the service is running:
sudo systemctl status fail2banYou should see “active (running)” in the output.
Step 2: Enable Fail2ban on boot
Make sure Fail2ban starts automatically after a reboot.
sudo systemctl enable fail2banStep 3: Create a local jail configuration file
Never edit the default /etc/fail2ban/jail.conf file directly. Updates can overwrite your changes. Create a local override file instead:
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.localNow open the local file for editing:
sudo nano /etc/fail2ban/jail.localStep 4: Configure the SSH jail settings
Inside jail.local, find the [DEFAULT] section near the top. Update these key values:
[DEFAULT]
bantime = 1h
findtime = 10m
maxretry = 5
banaction = iptables-multiportHere’s what each setting does:
– bantime , How long an IP stays banned. Set to 1 hour.
– findtime , The window Fail2ban checks for failed attempts. Set to 10 minutes.
– maxretry , Number of failures before a ban. Set to 5.
Step 5: Enable the SSH jail
Scroll down to find the [sshd] section. Update it like this:
[sshd]
enabled = true
port = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s
maxretry = 3If your server uses a custom SSH port, replace ssh with your port number. For example: port = 2222.
Save the file with Ctrl+X, then Y, then Enter.
Step 6: Restart Fail2ban to apply changes
sudo systemctl restart fail2banStep 7: Verify the SSH jail is active
Check that Fail2ban loaded your configuration correctly:
sudo fail2ban-client status sshdYou’ll see output showing the jail is active, along with the number of currently banned IPs. You can also view all active jails:
sudo fail2ban-client statusStep 8: Test and monitor ban activity
Watch the Fail2ban log to see bans happening in real time:
sudo tail -f /var/log/fail2ban.logTo manually unban an IP address if needed:
sudo fail2ban-client set sshd unbanip 192.168.1.100Replace 192.168.1.100 with the actual IP you want to unban.
For deeper reading on Fail2ban configuration options, check the official Fail2ban documentation. It covers advanced filter creation and custom actions in detail.
Troubleshooting Common Issues When Configuring Fail2ban to Protect SSH
Even with a clean setup, you might run into a few problems. Here are the most common ones and how to fix them.
Fail2ban won’t start after configuration changes
Check the Fail2ban log for errors:
sudo journalctl -u fail2ban --no-pager | tail -30A syntax error in jail.local is usually the cause. Open the file and double-check your formatting. Indentation and spacing matter.
The SSH jail shows as inactive
Make sure the enabled = true line is present in the [sshd] section. Also confirm the log path is correct for your system. On Ubuntu 22.04, SSH logs go to the systemd journal. Set the backend to systemd if needed:
[sshd]
enabled = true
backend = systemdYour own IP got banned
This happens during testing. Unban yourself immediately:
sudo fail2ban-client set sshd unbanip YOUR_IP_ADDRESSTo prevent this in the future, whitelist your IP in the [DEFAULT] section of jail.local:
ignoreip = 127.0.0.1/8 ::1 YOUR_IP_ADDRESSBans aren’t persisting after reboot
By default, Fail2ban clears bans on restart. To make bans permanent, you can increase bantime significantly or use a database backend. Check the Ubuntu Server documentation for persistent storage options with Fail2ban.
Fail2ban isn’t detecting failed logins
Confirm that your SSH service is actually logging failed attempts:
sudo grep "Failed password" /var/log/auth.log | tail -10If nothing shows up, your log path in jail.local may point to the wrong file.
Conclusion
You now know how to install and configure Fail2ban to protect SSH on Ubuntu Server. Your server will automatically detect and block brute-force login attempts without any manual intervention. This setup takes only minutes but provides real, ongoing protection against one of the most common attack types on public servers.
From here, consider expanding your Fail2ban setup to protect other services. You can create jails for Apache, Nginx, or Postfix using the same approach. Regularly review your /var/log/fail2ban.log file to stay aware of attack patterns targeting your server. Pair Fail2ban with strong SSH key authentication and a properly configured firewall for the best results.