Signup/Sign In

Secure SSH server with Fail2ban tool in Linux

It is crucial to know how to block Attacker IP addresses and defend your server against SSH attacks. Fail2Ban is a intrusion prevention framework written in Python. It guards against SSH brute-force attacks on Linux servers and systems. Additionally, it enables you to keep track of the attacks' potency in terms of the quantity of failed attempts at authentication.

Fail2ban works by scanning log files for specific patterns that indicate a potential security threat, such as failed login attempts or unauthorized access attempts. When these patterns are detected, fail2ban automatically adds the corresponding IP address to a blacklist and blocks any further attempts from that address.

Installing And Configuring Fail2Ban

This guide uses DebianUbuntu, but the commands are similar for other systems.

  1. update and upgrade.

  2. sudo apt update && sudo apt upgrade

Fail2Ban is free to use and can be installed through most of the popular package managers like dnf, pkg, pacman.

  1. Install Fail2Ban by running the following command:

    sudo apt-get install fail2ban

    Alternatively you can install manually by executing the following commands:
    git clone
    cd fail2ban
    sudo python install 

    Please make sure that you copy init files from files directory according to your respective operating system.
    Example (on a Debian-based system):

    cp files/debian-initd /etc/init.d/fail2ban
    update-rc.d fail2ban defaults
    service fail2ban start
  2. To ensure that Fail2ban runs on system startup, use the following command:

    sudo systemctl enable fail2ban.service

After the installation is complete, you can begin configuring Fail2Ban to set up a jail for your SSH server. The Fail2Ban configuration files are located in the /etc/fail2ban directory, as shown in the output below.

/etc/fail2ban$ ls -al
total 76
drwxr-xr-x 6 root root  4096 Dec 12 03:00 .
drwxr-xr-x 1 root root  4096 Dec 12 03:00 ..
drwxr-xr-x 2 root root  4096 Dec 12 03:00 action.d
-rw-r--r-- 1 root root  2816 Nov 23  2020 fail2ban.conf
drwxr-xr-x 2 root root  4096 Jul 12  2021 fail2ban.d
drwxr-xr-x 3 root root  4096 Dec 12 03:00 filter.d
-rw-r--r-- 1 root root 24996 Nov 23  2020 jail.conf
drwxr-xr-x 2 root root  4096 Dec 12 03:00 jail.d
-rw-r--r-- 1 root root   645 Nov 23  2020 paths-arch.conf
-rw-r--r-- 1 root root  2827 Nov 23  2020 paths-common.conf
-rw-r--r-- 1 root root   573 Nov 23  2020 paths-debian.conf
-rw-r--r-- 1 root root   738 Nov 23  2020 paths-opensuse.conf

The jail.conf file's default setting is used by Fail2Ban. However, using the default configuration files is not advised because later upgrades to the Fail2Ban package may replace them. The ideal method for configuring a specific service is to add a new configuration file with the.local extension to the /etc/fail2ban directory.

Creating SSH Jails With Fail2Ban

  1. Begin by creating a new file within the same directory called jail.local. You can then add the necessary security configurations for the sshd jail.

    sudo nano /etc/fail2ban/jail.local
  2. You can explore the options that Fail2Ban provides to customize the security and blocking of the SSH service.

    Fail2Ban Configuration Options:

    Configurations Function
    enabled Jail status (true/false) - This enables or disables the jail
    port Port specification
    filter Service specific filter (Log filter)
    logpath What log to use
    maxretry Number of attempts to make before a ban
    findtime Amount of time between failed login attempts
    bantime Number of seconds an IP is banned for
    ignoreip IP to be allowed
  3. With the information in table above you can create the jail.local configuration for OpenSSH server (sshd). Once you have entered the configuration options, the values used in this guide example are listed in the sample file below.


    You can customize the Fail2Ban configuration options and values as per your security requirements.

    File: /etc/fail2ban/jail.local

    enabled = true
    port = ssh
    filter = sshd
    logpath = /var/log/auth.log
    maxretry = 3
    findtime = 300
    bantime = 3600
    ignoreip =

  4. After you have specified the configuration options and their respective values, save the file and restart the Fail2Ban service with the following command:

    sudo systemctl restart fail2ban.service
  5. After restarting the OpenSSH server service, Fail2Ban uses this new configuration and the jail for the sshd service is activated and runs.

  6. You can now test this functionality by re-enabling PasswordAuthentication in the OpenSSH Configuration file found in /etc/ssh/sshd_config. Do this by changing the value from no to yes using the text editor of your choice. Make sure these lines are uncommented.

    File: /etc/ssh/sshd_config

  7. 1
    #To disable tunneled clear text passwords, change to no here!
    PasswordAuthentication yes
    PermitEmptyPasswords no

This enables users to authenticate using passwords in addition to SSH key-pairs. When SSH is being brute-forced, Fail2Ban automatically recognises the attempts and blocks the users. This is helpful for user accounts that do not have administrator capabilities and significantly boosts the security of both password-based authentication and the server.

Monitoring With Fail2Ban-Client

One of Fail2Ban’s greatest advantages is that it allows you to actively monitor all the failed authentication attempts and the various IP addresses that have been blocked. This information helps you understand the scale of attacks you are facing and the geolocation of the attacks by analyzing the origins of the IP addresses.

fail2ban-client status in Linux terminal

  1. You can use the Fail2Ban-client tool to check the status of Fail2Ban and the active jails. This can be done by running the following command:

    sudo fail2ban-client status

  2. To view the status and information regarding a particular jail like sshd, you can use the following command:

    sudo fail2ban-client status sshd


Overall, fail2ban is an important tool for enhancing security and protecting against potential threats to servers and networks. It provides a powerful and effective way to monitor log files and block suspicious activity, helping to ensure that servers and networks remain secure and operational.

About the author:
Pradeep has expertise in Linux, Go, Nginx, Apache, CyberSecurity, AppSec and various other technical areas. He has contributed to numerous publications and websites, providing his readers with insightful and informative content.