How to install fail2ban on Ubuntu Server 22.04 : Jammy Jellyfish

Jack Wallen walks you through the process of installing fail2ban on Ubuntu Server 22.04 to prevent malicious login attempts.

Image: PAOLO/Adobe Stock

Fail2ban is one of the first things you need to install on your new Linux server deployments. Once deployed, fail2ban works to prevent malicious and brute force login attacks and can be used to monitor protocols such as HTTP, SSH, and FTP.

If fail2ban detects a malicious login attempt, it will automatically block the offending IP address, so anyone attempting the attack will not be able to access it.

I will walk you through the process of installing fail2ban on the latest version of Ubuntu Server (22.04, also known as Jammy Jellyfish).

SEE: 40+ open source and Linux terms you need to know (TechRepublic Premium)

What you will need

The only things you will need to get fail2ban up and running are an Ubuntu Server 22.04 instance and a user with sudo privileges.

That’s it: let’s secure this server.

How to install fail2ban

Installing fail2ban is incredibly simple. Log in to your Ubuntu Server instance and run the command:

sudo apt-get install fail2ban -y

Start and enable the fail2ban service with:

sudo systemctl enable --now fail2ban

If you are using the UFW firewall – and you should be – you may need to allow SSH traffic to the server with the command:

sudo ufw allow ssh

How to configure fail2ban

Fail2ban depends on a few different files and directories, which are:

  • fail2ban.conf – the main configuration file
  • jail.conf – an example jail configuration
  • action.d – contains various fail2ban action configurations for things like mail and firewall
  • jail.d – contains additional fail2ban jail configurations

We will create a new file, jail.local, and configure fail2ban to prevent malicious SSH logins.

Create the new file with:

sudo nano /etc/fail2ban/jail.local

In this file, paste the following content:

[sshd]enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
findtime = 300
bantime = 28800
ignoreip =

Here is the description of the above:

  • enabled – enable jail
  • port – the port that fail2ban will listen on
  • filter – the built-in filter that fail2ban will use
  • logpath – the directory hosting the fail2ban log
  • maxretry – the number of failed attempts allowed before an IP address is blocked
  • findtime – the time between failed login attempts
  • bantime – number of seconds an IP address is banned
  • ignoreip – an IP address which should be ignored by fail2ban

Save and close the file.

Restart fail2ban with:

sudo systemctl restart fail2ban

How to test fail2ban

Log into another machine and attempt an SSH connection to the server hosting fail2ban. Make sure you type the password incorrectly 3 times.

After the third attempt, SSH will lock on you, and you’ll have to use the CTRL + C key combination to return to the prompt. If you attempt another SSH connection, a connection refused error will be displayed.

How to unban an IP address

After testing, you may want to unban the IP address you used. Make sure you have a banned IP with the command:

sudo fail2ban-client status sshd

You should see something like the following:

Status for the jail: sshd

|- Filter
|  |- Currently failed:    0
|  |- Total failed:    3
|  `- File list:    /var/log/auth.log
`- Actions
|- Currently banned:    1
|- Total banned:    1
`- Banned IP list:

To unban the IP address, issue the command:

sudo fail2ban-client set sshd unbanip

You should see the number one printed, as that is the number of IP addresses you just unbanned.

You can also manually ban an IP with the command:

sudo fail2ban-client set sshd banip

Congratulations, you have successfully installed and configured fail2ban to block unwanted SSH connections to your Ubuntu Server instance.

Subscribe to TechRepublic How to make technology work on YouTube for all the latest tech tips for professionals from Jack Wallen.

About Jon Moses

Check Also

Development of a robust technique for the transmission of synchronized data in real time from a Magnetic Observatory to an INTERMAGNET GIN

Since internet availability at PowerLine is very limited due to its remote location from a …