How to Set Up Fail2Ban for SSH on Ubuntu

Hardening Your Server Security

Protecting your Virtual Private Server (VPS) from unauthorized access is a fundamental responsibility for every system administrator. Brute-force attacks, where malicious bots attempt to guess your SSH password thousands of times per minute, are a constant threat on the open internet. Fail2Ban is a strong security application that mitigates this risk by monitoring your server logs for failed login attempts and automatically updating your firewall to block the offending IP addresses. This guide will walk you through the professional configuration of Fail2Ban on an Ubuntu environment.

Difficulty

Intermediate

Time

10 Minutes

Step 1: Installation & Initialization

Follow these commands to deploy the service from the official Ubuntu repositories.

Update Package Index

Ensure your server is using the latest metadata:

sudo apt update

Install the Service

Deploy the Fail2Ban package:

sudo apt install fail2ban -y

Enable Boot Persistence

Instruct the system to automatically start Fail2Ban during the boot sequence:

sudo systemctl enable --now fail2ban

Step 2: Strategic Configuration

To maintain a secure and update-resistant environment, we recommend creating a localized configuration file. This prevents your custom rules from being overwritten during future software updates.

Create the Local Jail File

Open a new configuration file with administrative privileges:

sudo nano /etc/fail2ban/jail.local

Define Security Parameters

Copy and paste the following baseline configuration into the editor:

[DEFAULT]
bantime = 1h
findtime = 10m
maxretry = 5
banaction = iptables-multiport

[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 5

Save and Apply

Press CTRL + X, then Y, then Enter to save. Restart the service to initialize the new ruleset:

sudo systemctl restart fail2ban

Step 3: Administrative Management

Once active, you can use the fail2ban-client utility to monitor and manage your security status.

Monitoring Status
Unblocking an IP

View a summary of blocked addresses and active jails:

sudo fail2ban-client status sshd

If a legitimate user is accidentally restricted, use the following command to restore their access:

sudo fail2ban-client set sshd unbanip [IP_ADDRESS]

Accidental Self-Lockout

If you inadvertently block your own IP address and lose SSH access, do not panic. Log in to the VPS Control Panel and use the VNC Console to access your server out-of-band and execute the unban command.

Need Extra Help?

If you encounter any issues, our support team is ready to assist:

Live Chat: Quick assistance via our website.
Support Ticket: Open a Ticket
Discord: Join our Community
Email: [email protected]

Save on Your Hosting

Ready to get a new server? Use code KB20 at checkout for 20% off your first month!

Last Updated: January 2026 | Security Note: Always use SSH keys for maximum protection.

Other

​Hardening Your Server Security

Difficulty

Time

​Step 1: Installation & Initialization

​Step 2: Strategic Configuration

​Step 3: Administrative Management

​Accidental Self-Lockout

​Need Extra Help?

​Save on Your Hosting