How to Install and Configure Fail2Ban on Linux
9 min read - May 14, 2026
Step-by-step guide to installing, configuring, and testing Fail2Ban on Ubuntu, Debian, and RHEL-based Linux servers.
How to Install and Configure Fail2Ban on Linux
Fail2Ban monitors your server logs for suspicious activity and automatically bans offending IPs by updating your firewall rules. It stops brute-force attacks, reduces log noise, and runs quietly in the background once configured. This guide covers installation on Ubuntu/Debian, core configuration, jail setup, and a few advanced options worth knowing about.
Prerequisites
Fail2Ban runs on most Linux distributions: Ubuntu, Debian, AlmaLinux, CentOS, RHEL, Rocky Linux, and Fedora. You'll need:
- Python 3 installed on the system
- Root or sudo access for package installation and firewall changes
- An active firewall (iptables, nftables, ufw, or firewalld)
- Log files that capture failed login attempts (
/var/log/auth.logon Debian-based systems,/var/log/secureon RHEL-based)
On RHEL-based systems, enable the EPEL repository first. Before installing Fail2Ban, confirm your firewall is running with ufw status or systemctl status firewalld.
Installing Fail2Ban on Ubuntu/Debian
Update your packages and install Fail2Ban:
sudo apt update && sudo apt upgrade -y
sudo apt install fail2banEnable the service so it starts on boot, then start it:
sudo systemctl enable fail2ban
sudo systemctl start fail2banCopy the default config to a local override file. Always edit jail.local, not jail.conf, so package updates don't overwrite your settings:
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.localVerify everything is running:
sudo systemctl status fail2ban
sudo fail2ban-client statusThe first command should show "Active: active (running)". The second lists your active jails. Confirm Fail2Ban is enabled on boot with sudo systemctl is-enabled fail2ban.
Configuring Jails
Default Settings
Open /etc/fail2ban/jail.local and adjust the [DEFAULT] section. These settings apply to all jails unless overridden:
| Parameter | Recommended Value | What It Does |
|---|---|---|
bantime | 3600 | Blocks an IP for 1 hour |
findtime | 600 | Counts failures within a 10-minute window |
maxretry | 3 to 5 | Failures before a ban triggers |
ignoreip | 127.0.0.1/8 ::1 | IPs that are never banned |
Add your own management IP to ignoreip so you don't lock yourself out. Example: ignoreip = 127.0.0.1/8 ::1 203.0.113.50.
SSH Protection
Enable the SSH jail in jail.local:
[sshd]
enabled = trueCheck that logpath points to the correct log file for your distro. If you've moved SSH to a non-standard port (e.g., 2222), update the port parameter to match.
Web Server Protection
Enable the jail that matches your web server:
- Nginx:
[nginx-http-auth]for authentication failures,[nginx-botsearch]for malicious bots - Apache:
[apache-auth]for authentication,[apache-badbots]for bots
Recidive Jail
The [recidive] jail catches IPs that keep getting banned across other jails and applies a longer penalty, typically one week (604,800 seconds). It's useful for persistent attackers who rotate their approach.
After making changes, reload:
sudo systemctl restart fail2ban
sudo fail2ban-client statusTesting and Monitoring
Testing Bans
Before relying on Fail2Ban in production, test it. From a remote machine (not your admin IP), attempt SSH logins until you exceed maxretry. You should be blocked. Confirm with:
sudo fail2ban-client status sshdWatch bans happen in real time:
tail -f /var/log/fail2ban.logIf you accidentally ban a legitimate IP, unban it:
sudo fail2ban-client set sshd unbanip 203.0.113.50Day-to-Day Monitoring
Review ban history by grepping the log:
grep "Ban\|Unban" /var/log/fail2ban.logUseful management commands:
| Command | Purpose |
|---|---|
fail2ban-client status | List all active jails |
fail2ban-client banned | Show all currently banned IPs |
fail2ban-client set <jail> unbanip <IP> | Unban a specific IP |
fail2ban-client unban --all | Clear all bans |
fail2ban-client set <jail> banip <IP> | Manually ban an IP |
Bans persist across restarts. Fail2Ban stores them in an SQLite database at /var/lib/fail2ban/fail2ban.sqlite3.
Advanced Configuration
Switching to nftables
nftables is the modern replacement for iptables. It handles IPv4 and IPv6 in a single framework, scales better with large ban lists, and has built-in rate limiting. If you're on Ubuntu 22.04+, Debian 11+, or any recent distro, it's the better choice.
Set it in jail.local:
[DEFAULT]
banaction = nftables-multiportRestart Fail2Ban, then verify with sudo nft list ruleset. You should see f2b-table and f2b-chain in the output. Stick with iptables only if you're on an older system or have compatibility requirements.
Email Notifications
By default, Fail2Ban bans silently. To get email alerts, add the following to the [DEFAULT] section of jail.local:
[DEFAULT]
destemail = [email protected]
sender = [email protected]
mta = sendmail
action = %(action_mwl)sThe action_mwl action sends an email with ban details, WHOIS data, and the log lines that triggered the ban. Use action_mw if you only want WHOIS data. You'll need a mail transfer agent like sendmail installed, or an SMTP relay configured through something like msmtp.
For Slack or Discord alerts, create a script that sends a webhook and wire it up through a custom action file in /etc/fail2ban/action.d/.
If you're looking for a server with full root access and unmetered bandwidth to run Fail2Ban, check out FDC's dedicated servers.
Tired of slow deployments or bandwidth limits? FDC Servers offers instant dedicated power, global reach, and flexible plans built for any scale. Ready to upgrade?
Unlock Performance Now
Linux Server Hardening Checklist
Step-by-step checklist to harden a Linux server. Covers SSH, firewalls, patching, file permissions, SELinux/AppArmor, and audit logging
15 min read - May 8, 2026
iperf3 Tutorial: Test Network Speed on Linux & Windows
10 min read - May 7, 2026
Have questions or need a custom solution?
Flexible options
Global reach
Instant deployment
Flexible options
Global reach
Instant deployment