How to Install and Configure Fail2Ban on Ubuntu (Complete Guide)
Table of Contents
Fail2Ban is one of the most effective tools to protect your server against brute-force attacks.
It works by monitoring log files and automatically banning IP addresses that show malicious behavior.
In this guide, you will learn how to install, configure, and test Fail2Ban on Ubuntu — with fully working examples.
What is Fail2Ban and How It Works
Fail2Ban scans log files (like SSH or web server logs) and detects repeated failed login attempts.
When a threshold is reached, it blocks the attacker’s IP using firewall rules.
-
- Monitors logs in real-time
- Detects suspicious patterns
- Bans IPs automatically
- Unbans them after a set time
Step 1: Update Your System
sudo apt update
sudo apt upgrade -yAlways start with an up-to-date system.
Step 2: Install Fail2Ban
sudo apt install fail2ban -yOnce installed, Fail2Ban will start automatically.
Step 3: Check Service Status
sudo systemctl status fail2banYou should see:
Active: active (running)Step 4: Create Local Configuration
Never edit the default config file directly. Instead, create a local override file:
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.localStep 5: Basic Configuration
Edit the configuration file:
sudo nano /etc/fail2ban/jail.localSet Global Defaults
[DEFAULT]
bantime = 3600
findtime = 600
maxretry = 5
backend = systemd- bantime: how long an IP is blocked (in seconds)
- findtime: time window for attempts
- maxretry: number of allowed failures
Step 6: Enable SSH Protection
This is the most important protection.
[sshd]
enabled = true
port = ssh
logpath = %(sshd_log)sThis will block brute-force login attempts on SSH.
Step 7: Protect NGINX (Optional but Recommended)
Enable NGINX Login Protection
[nginx-http-auth]
enabled = trueEnable Bad Bots Protection
[nginx-badbots]
enabled = trueStep 8: Restart Fail2Ban
sudo systemctl restart fail2banStep 9: Check Active Jails
sudo fail2ban-client statusExample output:
Status
|- Number of jail: 1
`- Jail list: sshdCheck Specific Jail
sudo fail2ban-client status sshdStep 10: Manually Ban or Unban IP
Ban an IP
sudo fail2ban-client set sshd banip 1.2.3.4Unban an IP
sudo fail2ban-client set sshd unbanip 1.2.3.4Step 11: Test Fail2Ban
Try logging into SSH with the wrong password multiple times.
After exceeding the limit, your IP should be blocked.
Check banned IPs:
sudo fail2ban-client status sshd⚡ Advanced: Create Custom Filter (WordPress Example)
Create Filter File
sudo nano /etc/fail2ban/filter.d/wordpress.conf[Definition]
failregex = ^<HOST>.*"(POST /wp-login.php|POST /xmlrpc.php)
ignoreregex =Create Jail
[wordpress]
enabled = true
port = http,https
filter = wordpress
logpath = /var/log/nginx/access.log
maxretry = 5Common Mistakes
- Editing
jail.confinstead ofjail.local - Using wrong log paths
- Not restarting Fail2Ban after changes
- Locking yourself out (always whitelist your IP!)
Whitelist Your IP (Very Important)
ignoreip = 127.0.0.1/8 YOUR_IPAdd this under [DEFAULT] to prevent banning yourself.
FAQ
Is Fail2Ban enough to secure my server?
No — it’s one layer. Combine it with firewall rules and proper server configuration.
Does Fail2Ban affect performance?
Very minimal impact. It’s lightweight and efficient.
Can Fail2Ban block DDoS attacks?
Not fully. It helps with brute-force attacks but not large-scale DDoS.
What happens after ban time expires?
The IP is automatically unbanned.
Can I use Fail2Ban with Apache?
Yes — it supports Apache, NGINX, SSH, and many other services.
Final Thoughts
Fail2Ban is a powerful and essential tool for any Ubuntu server.
With just a few configurations, you can significantly reduce malicious traffic and protect your system.
The key is combining it with other security practices for a strong defense.