Site logo image
[Home Page]

[RSS Feeds]

[IRC Server]

Return to SSH guides

printer icon mail icon

SSH Fail2Ban Setup

  Fail2Ban is a log based intrusion prevention system that can be utilized to reduce some brute force attacks against the SSH daemon. If Fail2Ban sees a specific number of failed access attempts from a single IP within a time-frame, it will modify the iptables firewall to ban (REJECT) that IP for a defined amount of time.

Dynamically blocking IP’s in this manner may not be very effective against a botnet since the IP address can be frequently rotated.

For most distributions the sshd jail comes pre-enabled with Fail2Ban. However If you moved the SSH listening port as detailed in the "Hardening SSH configuration" guide, then you will have to modify the sshd jail regardless. This way Fail2Ban knows which port to instruct iptables to restrict for future brute forcing baddies.

Let's open the jail.local file. If the file doesn't exist, then it's okay to create a new one.

vi /etc/fail2ban/jail.local

Append the following to the file (assuming that you moved the SSH listening port to “2222.”)

enabled = true
port = 2222

Save your configuration and restart the fail2ban daemon.

systemctl restart fail2ban

You can verify that the sshd jail is enabled with the fail2ban-client command-line utility.

fail2ban-client status

Example output:

|- Number of jail: 3
`- Jail list: sshd

You can also display additional details, such as banned IP's by specifying the sshd jail.

fail2ban-client status sshd

For more information on Fail2Ban I recommend checking out as well as their manual for a better understanding of the above configurations.[1]


To unban an IP address from Fail2Ban, you can run the following command:

fail2ban-client set sshd unbanip

The Fail2ban log can be located in "/var/log/fail2ban.log". You can live monitor the log from a terminal with tail:

tail -F /var/log/fail2ban.log



[Return to top]

Last modified date: 2021-01-08

nationality icon

Copyright © 2020-2022 All Rights Reserved.