Fail2ban Reference
Installation & Service
# Install
sudo apt install fail2ban
# Service management
sudo systemctl start fail2ban
sudo systemctl enable fail2ban
sudo systemctl status fail2ban
sudo systemctl restart fail2banConfiguration
Fail2ban reads from /etc/fail2ban/. Never edit jail.conf directly — override in jail.local.
# Create your config
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo nano /etc/fail2ban/jail.local/etc/fail2ban/jail.local (key settings):
[DEFAULT]
# Ban duration (in seconds, or -1 for permanent)
bantime = 3600
# Window to count failures
findtime = 600
# Max failures before ban
maxretry = 5
# Your trusted IPs — never ban these
ignoreip = 127.0.0.1/8 ::1 192.168.1.0/24
# Ban action (iptables, ufw, etc.)
banaction = iptables-multiport
[sshd]
enabled = true
port = ssh
logpath = %(sshd_log)s
maxretry = 3
bantime = 86400 # 24 hours for SSH
[nginx-http-auth]
enabled = true
port = http,https
logpath = /var/log/nginx/error.log
[apache-auth]
enabled = true
port = http,https
logpath = %(apache_error_log)sfail2ban-client Commands
# Show overall status
fail2ban-client status
# Show jail status (with banned IPs)
fail2ban-client status sshd
# Manually ban an IP
fail2ban-client set sshd banip 192.168.1.100
# Unban an IP
fail2ban-client set sshd unbanip 192.168.1.100
# Reload configuration
fail2ban-client reload
# Reload specific jail
fail2ban-client reload sshd
# Show ban count for jail
fail2ban-client get sshd banipCustom Jail Example (Nginx Login)
# /etc/fail2ban/filter.d/nginx-login.conf
[Definition]
failregex = ^<HOST> .* "POST /login HTTP.*" 401
ignoreregex =
# /etc/fail2ban/jail.local
[nginx-login]
enabled = true
filter = nginx-login
port = http,https
logpath = /var/log/nginx/access.log
maxretry = 5
bantime = 3600
findtime = 300Viewing Logs
# Fail2ban log
tail -f /var/log/fail2ban.log
# Filter banned IPs
grep "Ban" /var/log/fail2ban.log
# Check iptables bans
sudo iptables -L -n | grep fail2ban
sudo iptables -L f2b-sshd -v -n