Fail2Ban is an open-source tool that works as an intrusion prevention software.

If you have open ports on the Internet, attackers can use a  passwords and users combinations (also known as brute-force) to attempt to break in.

Fail2Ban scans log files (/var/log/*) and use firewall rules to reject IP addresses


  • A linux box running Ubuntu 20.04.
  • SUDO (super user) privileges.

To being, we must update the package index:

sudo apt-get update

Install Fail2Ban

Install the fail2ban package:

sudo apt-get -y install fail2ban

The output should look like this:

Reading package lists... Done
Building dependency tree
Reading state information... Done
The following additional packages will be installed:
Suggested packages:
  mailx monit sqlite3
The following NEW packages will be installed:
  fail2ban whois
0 upgraded, 2 newly installed, 0 to remove and 74 not upgraded.
Need to get 419 kB of archives.
After this operation, 2.291 kB of additional disk space will be used.
Get:1 focal/universe amd64 fail2ban all 0.11.1-1 [375 kB]
Get:2 focal/main amd64 whois amd64 5.5.6 [44,7 kB]
Fetched 419 kB in 2s (203 kB/s)
Selecting previously unselected package fail2ban.
(Reading database ... 380286 files and directories currently installed.)
Preparing to unpack .../fail2ban_0.11.1-1_all.deb ...
Unpacking fail2ban (0.11.1-1) ...
Selecting previously unselected package whois.
Preparing to unpack .../archives/whois_5.5.6_amd64.deb ...
Unpacking whois (5.5.6) ...
Setting up whois (5.5.6) ...
Setting up fail2ban (0.11.1-1) ...
Created symlink /etc/systemd/system/ → /lib/systemd/system/fail2ban.service.
Processing triggers for man-db (2.9.1-1) ...
Processing triggers for systemd (245.4-4ubuntu3.3) ...

At this point, you have Fail2Ban installed and running on your Ubuntu.

To verify it, you can check the status of the service:

systemctl status fail2ban

You should see something like this:

● fail2ban.service - Fail2Ban Service
     Loaded: loaded (/lib/systemd/system/fail2ban.service; enabled; vendor pres>
     Active: active (running) since Tue 2020-12-22 10:37:51 -03; 3min 41s ago
       Docs: man:fail2ban(1)
   Main PID: 52463 (f2b/server)
      Tasks: 5 (limit: 9403)
     Memory: 13.8M
     CGroup: /system.slice/fail2ban.service
             └─52463 /usr/bin/python3 /usr/bin/fail2ban-server -xf start

Configure Fail2Ban

The default configuration files of Fail2ban are in the /etc/fail2ban directory. We will edit the following configuration file:


First, we will make a local copy of that file, (so we can go back or refer to it if something goes wrong):

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

We need to edit the jail.local file with our preferred editor (we will use NANO):

sudo nano /etc/fail2ban/jail.local

Ignore IP Addresses

Uncomment (delete the hashtag in the beginning) the line starting with “ignoreip”.

Here you can add as many IP addresses, IP ranges or hosts that you want to exclude from banning. You should add your local LAN and yourself (

For example:

ignoreip = ::1

Ban Settings

In this part, we have a lot of settings, but we should focus on bantime, findtime, and maxretry options.

bantime – is the time that the IP gets banned. Example for one week (you can use a negative number to set it forever):

bantime  = 1w

findtime – is the time it takes, between failures, before ban the IP. Example for one day:

findtime  = 1d

maxretry – is the number of how much failures are allowed. Example:

maxretry = 5

Mail Alerts

If you have a mail server configured in your box, you can setup this value to receive mails notifications when an IP gets banned:

destemail =


A jail is what identifies a service (SSH, FTP,Postfix, etc). In the config file, you will see a lot of jails pre-configured for different services.

Only the ssh jail is enabled by default. To enable a jail, you need to add after the Jail title:

enabled = true

For example, to enable fail2ban for Postfix:

enabled = true
mode    = more
port    = smtp,465,submission
logpath = %(postfix_log)s
backend = %(postfix_backend)s

At this point you can enable all the Jails that you need.

Restart Fail2Ban

Once configured, you need to restart Fail2Ban service:

sudo systemctl restart fail2ban

Interacting with the Fail2Ban service

Like any other service, you can interact with fail2ban via systemctl:

Stop Fail2Ban Service:

sudo systemct stop fail2ban

Start Fail2Ban Service:

sudo systemctl start fail2ban

Enable Fail2Ban on boot:

sudo systemctl enable fail2ban

Disable Fail2Ban on boot:

sudo systemctl disable fail2ban

Fail2Ban Client

There is a command-line tool named fail2ban-client that you can use to interact with the Fail2ban service.

Check active Jails:

sudo fail2ban-client status

Check statistics (Currently failed, total failed, currently banned, total banned, banned IP list) for a specific Jail:

sudo fail2ban-client status sshd

You should see something like:

Status for the jail: sshd
|- Filter
|  |- Currently failed: 0
|  |- Total failed: 0
|  `- File list: /var/log/auth.log
`- Actions
   |- Currently banned: 0
   |- Total banned: 0
   `- Banned IP list:

Unban an IP address

sudo fail2ban-client unban

We can also unban all IP address at once:

sudo fail2ban-client uban – all

Ban an IP address

sudo fail2ban-client ban

Activate a rule (use its name from the configuration file)

sudo fail2ban-client add postfix

Start a rule

fail2ban-client start postfix

Stop a rule:

fail2ban-client stop postfix


Well done! You have installed and configured the most common options of Fail2Ban.

If you have any issues then contact us and we’ll try to help as soon as we can.

Categories: Linux Tutorials