Configure Fail2Ban on Ubuntu VPS: Complete Security Setup

Install and Configure Fail2Ban on Ubuntu VPS

Fail2Ban monitors your server logs and automatically bans IP addresses that show malicious behavior. This guide covers complete Fail2Ban setup on Ubuntu VPS, including SSH protection, web server jails, and email alerts.

You'll need root access and basic SSH familiarity. We'll set up Fail2Ban to block attacks while keeping legitimate traffic flowing to your applications.

Step 1: Update System and Install Fail2Ban

Connect via SSH and update your packages:

sudo apt update && sudo apt upgrade -y

Install Fail2Ban:

sudo apt install fail2ban -y

Check the service status:

sudo systemctl status fail2ban

Start it if needed:

sudo systemctl start fail2ban
sudo systemctl enable fail2ban

Create Custom Fail2Ban Configuration

Fail2Ban uses jail.conf for defaults and jail.local for your custom settings. Never edit the default files directly since updates will overwrite them.

Copy the default configuration:

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Open your custom config:

sudo nano /etc/fail2ban/jail.local

Step 2: Configure Global Settings

Find the [DEFAULT] section and adjust these parameters:

[DEFAULT]
# Ban IP addresses for 1 hour
bantime = 3600

# Check for attacks within 10 minutes
findtime = 600

# Ban after 3 failed attempts
maxretry = 3

# Whitelist your IP addresses
ignoreip = 127.0.0.1/8 ::1 192.168.1.0/24 YOUR_OFFICE_IP_HERE

Replace YOUR_OFFICE_IP_HERE with your actual IP address. Run curl ifconfig.me locally to find it.

Step 3: Configure SSH Protection

Locate the [sshd] section:

[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 3600

Using a custom SSH port? Update it:

port = 2222

This monitors failed SSH attempts in /var/log/auth.log. Three failures within ten minutes triggers a one-hour ban. Consider longer ban times for production servers.

Configure Web Server Protection

Your web server needs specific jail configurations. Most Hostperl VPS customers run Apache or Nginx.

Step 4: Apache HTTP Server Jails

For Apache servers:

[apache-auth]
enabled = true
port = http,https
filter = apache-auth
logpath = /var/log/apache2/error.log
maxretry = 3

[apache-badbots]
enabled = true
port = http,https
filter = apache-badbots
logpath = /var/log/apache2/access.log
maxretry = 2

[apache-noscript]
enabled = true
port = http,https
filter = apache-noscript
logpath = /var/log/apache2/access.log
maxretry = 3

Step 5: Nginx Server Jails

For Nginx:

[nginx-http-auth]
enabled = true
port = http,https
filter = nginx-http-auth
logpath = /var/log/nginx/error.log
maxretry = 3

[nginx-limit-req]
enabled = true
port = http,https
filter = nginx-limit-req
logpath = /var/log/nginx/error.log
maxretry = 5

[nginx-botsearch]
enabled = true
port = http,https
filter = nginx-botsearch
logpath = /var/log/nginx/access.log
maxretry = 2

The nginx-limit-req jail catches rate limiting violations. The nginx-botsearch jail blocks malicious bots. Adjust maxretry values based on your traffic patterns.

Set Up Email Notifications

Email alerts tell you when Fail2Ban takes action. This helps you track security events on your VPS.

Step 6: Configure SMTP for Notifications

Install the mail utility:

sudo apt install mailutils -y

Add email settings in the [DEFAULT] section:

# Email configuration
destemail = admin@yourdomain.com
sendername = Fail2Ban-VPS
mta = sendmail
action = %(action_mwl)s

Replace admin@yourdomain.com with your email. The action_mwl setting includes log context in notifications.

Using Postfix? Check our Postfix SMTP setup guide for complete email server configuration.

Step 7: Test Email Configuration

Create a test jail:

[test-jail]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 1
bantime = 60

Restart Fail2Ban:

sudo systemctl restart fail2ban

Try a failed SSH login from another machine to trigger the test. You should get an email within minutes. Remove the test jail afterward.

Advanced Fail2Ban Customization

Beyond basic protection, you can create custom filters for specific attack patterns.

Step 8: Create Custom Filter Rules

Let's protect WordPress sites with a custom filter:

sudo nano /etc/fail2ban/filter.d/wordpress-auth.conf

Add this configuration:

[Definition]
failregex = <HOST>.*POST.*(wp-login\.php|xmlrpc\.php)
            <HOST>.*POST.*wp-admin
ignoreregex =

Create the matching jail in jail.local:

[wordpress-auth]
enabled = true
port = http,https
filter = wordpress-auth
logpath = /var/log/nginx/access.log
maxretry = 3
bantime = 1800

This monitors repeated POST requests to WordPress login endpoints.

Step 9: Configure Persistent Ban Lists

For repeat offenders, set up persistent bans that survive restarts:

sudo nano /etc/fail2ban/action.d/iptables-persistent.conf

Create an action that saves iptables rules:

[Definition]
actionstart = iptables -N f2b-<name>
              iptables -A f2b-<name> -j RETURN
              iptables -I INPUT -p <protocol> --dport <port> -j f2b-<name>
              iptables-save > /etc/iptables/rules.v4

actionstop = iptables -D INPUT -p <protocol> --dport <port> -j f2b-<name>
             iptables -F f2b-<name>
             iptables -X f2b-<name>
             iptables-save > /etc/iptables/rules.v4

actionban = iptables -I f2b-<name> 1 -s <ip> -j DROP
            iptables-save > /etc/iptables/rules.v4

actionunban = iptables -D f2b-<name> -s <ip> -j DROP
              iptables-save > /etc/iptables/rules.v4

Monitor and Maintain Fail2Ban

Regular monitoring keeps Fail2Ban working effectively without blocking legitimate traffic.

Step 10: Check Fail2Ban Status

View active jails and current bans:

sudo fail2ban-client status

Check specific jail details:

sudo fail2ban-client status sshd

List banned IP addresses:

sudo fail2ban-client status sshd | grep "Banned IP list"

Step 11: Unban IP Addresses

Need to unban an IP? (Like if you locked yourself out):

sudo fail2ban-client set sshd unbanip 192.168.1.100

Replace with the IP you want to unban. Always keep backup access through your hosting provider's console.

Step 12: Log File Management

Fail2Ban logs to /var/log/fail2ban.log. Monitor it for issues:

sudo tail -f /var/log/fail2ban.log

Set up log rotation to prevent disk space problems. Our logrotate configuration guide covers complete log management.

Troubleshooting Common Issues

Here's how to fix common Fail2Ban problems.

Service Not Starting

Check configuration syntax:

sudo fail2ban-client -t

This validates your config files and reports errors. Fix any issues before restarting.

Jails Not Activating

Verify log file paths exist:

ls -la /var/log/auth.log
ls -la /var/log/nginx/

Fail2Ban needs read access to these files. Some hosting environments need additional permissions.

Email Notifications Not Working

Test mail independently:

echo "Test message" | mail -s "Test Subject" admin@yourdomain.com

If this fails, check your Postfix or sendmail setup rather than Fail2Ban.

Performance and Security Considerations

Fail2Ban uses minimal system resources but proper configuration ensures optimal performance.

Monitor CPU usage during traffic spikes. If Fail2Ban becomes a bottleneck, increase the findtime interval or reduce log verbosity.

For high-security environments, consider external threat intelligence feeds or geographic IP blocking alongside Fail2Ban.

Include Fail2Ban in regular security audits. Our SSH hardening tutorial complements Fail2Ban with comprehensive server security.

Frequently Asked Questions

How long should I set ban times for production servers?

For production hosting, 24-hour bans work well for SSH attacks. Web service bans can be shorter (1-4 hours) to avoid blocking legitimate users behind shared connections.

Will Fail2Ban affect my website's performance?

Fail2Ban has minimal performance impact. It processes logs efficiently and only adds iptables rules when banning IPs. The overhead is negligible compared to processing attack traffic.

Can I whitelist entire IP ranges?

Yes, use CIDR notation in ignoreip. Example: ignoreip = 192.168.0.0/16 whitelists the entire 192.168.x.x range. Be careful with large ranges that might include attackers.

How do I handle legitimate users getting banned?

Set up alternative contact methods (phone, secondary email) for unban requests. Consider higher maxretry values for services with legitimate retry patterns. Always maintain console access to your VPS.

Should I use Fail2Ban with other security tools?

Fail2Ban works great with firewalls like UFW, intrusion detection systems, and security scanners. It handles log-based intrusion prevention while other tools cover different security aspects.