How to Install and Configure Fail2ban on Ubuntu Server 16.04
Have you ever logged into your server and seen a message like this?
Last failed login: Fri Dec 28 11:37:02 MST 2018 from 192.168.0.102 on ssh:notty
There were 942 failed login attempts since the last successful login.
Last login: Mon Dec 24 13:35:57 2018 from 192.168.0.101
What happened here?

This message is informing me that while I was logged out, there were 942 failed attempts to access my server via SSH! This type of message is a strong indicator that my server was probably under a “brute force” attack. In this type of scenario, an attacker will attempt to randomly guess passwords repeatedly until they get lucky with the correct password. This is one reason why usinga secure password is so important!
Fear not, Fail2ban can be a fantastic tool for dynamically thwarting these types of brute force attacks. This tutorial will walk you through installing and configuring Fail2ban to help protect sshd from brute force attacks. Let’s dig in!
Installing Fail2ban
Installing Fail2ban on Ubuntu VPS Server is simple. Run the following two commands to install the program:
apt-get update
apt-get install fail2ban -y
We will start the service, so it is running.
service fail2ban restart
Finally, we check to make sure Fail2ban is running after the restart:
service fail2ban status
The output should display active (running) which indicates the service is up and we’re ready to proceed to configuration.
Configuring Fail2ban
Now that Fail2ban is installed and running, we can define custom rules for what services it protects, and how to handle violations.
First, create a configuration file for Fail2ban. This file doesn’t exist by default, but Fail2ban will look for this file and read the contents if it exists:
touch /etc/fail2ban/jail.local
Now we’ll open the configuration file for editing. We’re using vi as our text editor in this example, but feel free to use nano or whatever text editor you are most comfortable with. (Related: check out our helpful tutorial if you need to brush up on how to use vi.) Run the following command to open the file for editing:
vi /etc/fail2ban/jail.local
Paste in the following contents, and save the file:
[DEFAULT]
ignoreip = 127.0.0.1/8 ::1
bantime = 3600
findtime = 600
maxretry = 5
[sshd]
enabled = true
Let’s review the options we just set. First, we are telling Fail2ban to ignore IP addresses 127.0.0.1 and ::1. These are the IPv4 and IPv6 addresses for localhost, respectively. For the remaining lines, it is important to understand Fail2ban reads time as seconds in the configuration file. These rules will ban IP addresses for one hour {bantime = 3600}, if they make 5 mistakes {maxretry = 5}, within 10 minutes {findtime = 600}. Finally, we enabled the jail for sshd. Feel free to adjust these numbers to your liking, but please consider the following:
Now that we have created a configuration to use, restart Fail2ban so that our new rules are read and utilized:
service fail2ban restart
We will also double check to make sure Fail2ban is running after the restart:
service fail2ban status
Fail2ban Usage
At this point, you have successfully installed and configured Fail2ban, congratulations! For the remainder of this tutorial, we will show you how to use the program and how to manage IP blocks.
Run the following command to check the status of Fail2ban:
fail2ban-client status
Example output shows you the number of currently configured jails. Right now we have only created a jail for sshd:
Status
|- Number of jail: 1
`- Jail list: sshd
We can also poll the detailed status of individual jails. This command will check the status of the sshd jail we just configured:
fail2ban-client status sshd
Example output shows no IPs blocked, looks good!
Status for the jail: sshd
|- Filter
| |- Currently failed: 0
| |- Total failed: 0
| `- File list: /var/log/auth.log
`- Actions
|- Currently banned: 0
|- Total banned: 0
`- Banned IP list:
Now, for example, I’m going to fail five attempts to SSH to my server. After the fifth failed attempt, my IP should be automatically blocked! The following shows the output from my workstation when I try to SSH to the server after the fifth failed attempt:
ssh root@192.168.0.101
ssh: connect to host 192.168.0.101 port 22: Connection refused
The “connection refused” message indicates that the server’s firewall is now blocking us.
Back on the server, let’s again check the status of the SSH jail by running:
fail2ban-client status sshd
The output shows that my IP has indeed been blocked! Looking at the status, we can see my workstation’s IP address has been added to the “Banned IP list”.
Status for the jail: sshd
|- Filter
| |- Currently failed: 1
| |- Total failed: 1
| `- File list: /var/log/auth.log
`- Actions
|- Currently banned: 1
|- Total banned: 1
`- Banned IP list: 192.168.0.102
Finally, we will demonstrate how to remove a banned IP. This is helpful if you have clients that accidentally block themselves from incorrect password attempts. The syntax for this command is as follows:
fail2ban-client set <JAIL NAME> unbanip <IP ADDRESS>
For example, this command will delist 192.168.0.102 from the sshd jail.
fail2ban-client set sshd unbanip 192.168.0.102
Let’s double check our work and make sure my IP address has been successfully unblocked:
fail2ban-client status sshd
Status for the jail: sshd
|- Filter
| |- Currently failed: 1
| |- Total failed: 6
| `- File list: /var/log/auth.log
`- Actions
|- Currently banned: 0
|- Total banned: 1
`- Banned IP list:
That wraps it up for this tutorial! We only discussed protecting sshd in this tutorial, but Fail2ban can be used to help protect all kinds of other services such as httpd. We encourage you to do some further reading and see what it is capable of! Just remember that while Fail2ban is awesome, it is not a replacement for a strong set of firewall rules. When properly configured, however, Fail2ban is a great tool to help further harden your server’s security. Have fun and happy IP blocking!
The Most Helpful Humans In Hosting™
We pride ourselves on being The Most Helpful Humans In Hosting™! Our support staff is always available to assist with any Dedicated, Cloud, or VPS server issues 24 hours a day, 7 days a week 365 days a year.
We are available, via our ticketing systems at support@liquidweb.com, by phone (at 800-580-4986) or via a LiveChat for whatever method you prefer. We work hard for you so you can relax.
Related Articles:

About the Author: Noti Peppas
As a regular contributor to Knowledge Base center, Noti Peppas offers up how-to articles on Ubuntu, CentOS, Fedora and much more!
Our Sales and Support teams are available 24 hours by phone or e-mail to assist.
Latest Articles
Best authentication practices for email senders
Read Article2024 cPanel and Plesk pricing breakdown
Read ArticleCentOS Linux 7 EOL — everything you need to know
Read ArticleHow to install Node.js on Linux (AlmaLinux)
Read ArticleUpgrading or installing PHP on Ubuntu — PHP 7.2 and Ubuntu 22.04
Read Article