Fail2Ban tutorial: install and configure from scratch

Install Fail2Ban on Ubuntu or Debian, configure the SSH jail, set up email alerts, and verify banning works.

Fail2Ban tutorial: install and configure from scratch
What You Will Need
Step 1: Install Fail2Ban on Ubuntu
Step 2: Create a Local Configuration File for Fail2Ban
Step 3: Configure the SSH Jail in Fail2Ban
Step 4: Set the Correct Firewall Backend for Fail2Ban
Step 5: Restart Fail2Ban and Verify the Jail
What You Learned

Fail2Ban tutorial: install and configure from scratch

Install Fail2Ban on Ubuntu or Debian, configure the SSH jail, set up the correct firewall backend, and verify banning works.

What You Will Need

An Ubuntu 22.04+ or Debian 12+ server with root or sudo access.
SSH access to the server.

Step 1: Install Fail2Ban on Ubuntu

Fail2Ban is available in the default Ubuntu repositories. Install it with apt:

sudo apt update
sudo apt install fail2ban

Fail2Ban starts automatically after installation. Verify the service is running:

sudo systemctl status fail2ban

Step 2: Create a Local Configuration File for Fail2Ban

Fail2Ban reads /etc/fail2ban/jail.conf for default settings and /etc/fail2ban/jail.local for overrides. Package updates overwrite jail.conf, so all customizations belong in jail.local:

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Alternatively, create a minimal jail.local with only the settings to override.

Step 3: Configure the SSH Jail in Fail2Ban

Open /etc/fail2ban/jail.local and configure the [sshd] jail. The backend = systemd setting tells Fail2Ban to read SSH authentication logs from the systemd journal:

[DEFAULT]
bantime = 1h
findtime = 10m
maxretry = 5
backend = systemd
ignoreip = 127.0.0.1/8 ::1

[sshd]
enabled = true
port = ssh

maxretry = 5 bans an IP after 5 failed attempts within the findtime window. bantime = 1h blocks the IP for one hour.

Step 4: Set the Correct Firewall Backend for Fail2Ban

Fail2Ban defaults to iptables-multiport for ban actions. On Ubuntu 24.04+ and Debian 13+, the default firewall backend is nftables. Set the correct banaction in jail.local:

For systems using nftables:

[DEFAULT]
banaction = nftables-multiport
banaction_allports = nftables-allports

For systems using UFW:

[DEFAULT]
banaction = ufw
banaction_allports = ufw

Step 5: Restart Fail2Ban and Verify the Jail

Restart Fail2Ban to apply the configuration:

sudo systemctl restart fail2ban

Check the sshd jail status:

sudo fail2ban-client status sshd

What You Learned

This tutorial covered Fail2Ban installation, the jail.conf vs jail.local override pattern, SSH jail configuration with maxretry/ findtime/ bantime thresholds, firewall backend selection (iptables vs nftables vs UFW), and the backend = systemd setting for journal-based log reading.