Fail2Ban setup


Fail2Ban is an intrusion prevention framework written in the Python programming language. It works by reading SSH, ProFTP, Apache logs etc.. and uses iptables profiles to block brute-force attempts.


To install fail2ban, type the following in the terminal:

sudo apt-get install fail2ban


To configure fail2ban, make a ‘local’ copy the jail.conf file in /etc/fail2ban

cd /etc/fail2ban
sudo cp jail.conf jail.local

Now edit the file:

sudo nano jail.local

Set the IPs you want fail2ban to ignore, the ban time (in seconds) and maximum number of user attempts to your liking:

# "ignoreip" can be an IP address, a CIDR mask or a DNS host
ignoreip =
bantime  = 3600
maxretry = 3

Email Notification

Note: You will need sendmail or any other MTA to do this.

If you wish to be notified of bans by email, modify this line with your email address:

destemail =

Then find the line:

action = %(action_)s

and change it to

action = %(action_mw)s

Jail Configuration

Jails are the rules which fail2ban apply to a given application/log:


enabled = true
port    = ssh
filter  = sshd
logpath  = /var/log/auth.log
maxretry = 3

To enable the other profiles, such as [ssh-ddos], make sure the first line beneath it reads:

enabled = true

Once done, restart fail2ban to put those settings into effect

sudo /etc/init.d/fail2ban restart

Advanced: Filters

If you wish to tweak or add log filters, you can find them in



To test fail2ban, look at iptable rules:

sudo iptables -L

Attempt to login to a service that fail2ban is monitoring (preferably from another machine) and look at the iptable rules again to see if that IP source gets added.

This entry was posted in Linux How-To. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *