Affiliate ProgramKnowledge BaseContact
Hostperl

Install Fail2ban on Ubuntu VPS: Block Brute Force Attacks

By Raman Kumar

Share:

Updated on Apr 30, 2026

Install Fail2ban on Ubuntu VPS: Block Brute Force Attacks

What is Fail2ban and Why Your Ubuntu VPS Needs It

SSH brute force attacks hit your Ubuntu VPS within minutes of going online. Fail2ban monitors log files and automatically blocks IP addresses showing malicious behavior patterns. This guide walks you through how to install Fail2ban on Ubuntu VPS and configure protection for SSH, web services, and email servers.

Fail2ban scans log files for failed login attempts. It then temporarily or permanently bans offending IP addresses using iptables rules. For hosting customers, this provides essential protection without constant monitoring.

Prerequisites and System Requirements

Before you install Fail2ban on Ubuntu VPS, ensure your server meets these requirements:

  • Ubuntu 20.04, 22.04, or 24.04 LTS
  • Root or sudo privileges
  • SSH access to your server
  • iptables firewall (usually installed by default)
  • At least 512MB RAM (minimal overhead)

Check your Ubuntu version:

lsb_release -a

Verify iptables is available:

sudo iptables -L

Step 1: Update Package Repository and Install Fail2ban

Update your package lists to get the latest version:

sudo apt update

Install Fail2ban from the official Ubuntu repository:

sudo apt install fail2ban -y

The installation includes the main fail2ban service and default configuration files. Ubuntu's package manager handles dependencies automatically.

Verify the installation:

fail2ban-server --version

Start and enable the Fail2ban service:

sudo systemctl start fail2ban
sudo systemctl enable fail2ban

Step 2: Understand Fail2ban Configuration Structure

Fail2ban uses two main configuration directories:

  • /etc/fail2ban/jail.conf - Default configuration (gets overwritten on updates)
  • /etc/fail2ban/jail.local - Local overrides (persists through updates)
  • /etc/fail2ban/filter.d/ - Log parsing patterns
  • /etc/fail2ban/action.d/ - Actions to take when violations occur

Never edit jail.conf directly. Always create jail.local for your customizations.

Create your local configuration file:

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Step 3: Configure SSH Protection (Essential First Step)

SSH protection should be your first priority. Edit the jail.local file:

sudo nano /etc/fail2ban/jail.local

Find the [sshd] section and modify it:

[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 3600
findtime = 600

Key parameters explained:

  • maxretry = 3 - Ban after 3 failed attempts
  • bantime = 3600 - Ban for 1 hour (3600 seconds)
  • findtime = 600 - Look for failures within 10 minutes

If you use a non-standard SSH port, update the port setting:

port = 2222

Step 4: Configure Global Default Settings

Set global defaults that apply to all jails. Find the [DEFAULT] section:

[DEFAULT]
bantime = 3600
findtime = 600
maxretry = 3
ignoreip = 127.0.0.1/8 ::1 your.trusted.ip.here
banaction = iptables-multiport
banaction_allports = iptables-allports

Add your trusted IP addresses to ignoreip to avoid locking yourself out. Include your office IP, management server, or monitoring system IPs.

For Hostperl VPS hosting customers, consider adding our support IP ranges. This prevents service interruptions during troubleshooting.

Step 5: Enable Additional Service Protection

Protect common services beyond SSH. Add these jail configurations:

# Apache/Nginx HTTP Auth
[apache-auth]
enabled = true
filter = apache-auth
logpath = /var/log/apache2/error.log
maxretry = 3

# Nginx HTTP Auth
[nginx-http-auth]
enabled = true
filter = nginx-http-auth
logpath = /var/log/nginx/error.log
maxretry = 3

# FTP (if running ProFTPD)
[proftpd]
enabled = true
filter = proftpd
logpath = /var/log/proftpd/proftpd.log
maxretry = 3

# Mail services (if running Postfix)
[postfix]
enabled = true
filter = postfix
logpath = /var/log/mail.log
maxretry = 3

Enable only the jails for services you're actually running. Unnecessary jails consume resources and may generate errors.

Step 6: Test Configuration and Restart Service

Test your configuration before applying:

sudo fail2ban-client -t

If the test passes, restart Fail2ban:

sudo systemctl restart fail2ban

Check the service status:

sudo systemctl status fail2ban

Verify active jails:

sudo fail2ban-client status

Step 7: Monitor and Manage Banned IPs

Check status of a specific jail:

sudo fail2ban-client status sshd

View currently banned IPs:

sudo fail2ban-client get sshd banip

Manually ban an IP address:

sudo fail2ban-client set sshd banip 192.168.1.100

Unban an IP address:

sudo fail2ban-client set sshd unbanip 192.168.1.100

Check Fail2ban logs:

sudo tail -f /var/log/fail2ban.log

Advanced Configuration Tips

Create custom filters for application-specific attacks. For example, if you're running WordPress, create a filter for wp-login attacks:

sudo nano /etc/fail2ban/filter.d/wordpress.conf
[Definition]
failregex = ^<HOST> .* "POST /wp-login.php
ignoreregex =

Then add a corresponding jail in jail.local:

[wordpress]
enabled = true
filter = wordpress
logpath = /var/log/nginx/access.log
maxretry = 5
bantime = 7200

For production environments, consider increasing ban times for repeat offenders by using recidive jail. This bans IPs that get banned multiple times.

Need reliable VPS hosting to run Fail2ban? Hostperl provides managed Ubuntu VPS solutions with security tools pre-configured. Our VPS hosting plans include automated backups and 24/7 monitoring to keep your server secure.

Troubleshooting Common Issues

If Fail2ban isn't starting, check configuration syntax:

sudo fail2ban-client -t

Common problems include:

  • Wrong log file paths in jail configuration
  • Services not running (trying to protect Apache when Nginx is running)
  • Permission issues accessing log files
  • iptables not available or misconfigured

Check which log files exist:

ls -la /var/log/auth.log /var/log/nginx/ /var/log/apache2/

Ensure Fail2ban can read log files:

sudo chmod 644 /var/log/auth.log

Monitoring Fail2ban Effectiveness

Set up log rotation to prevent Fail2ban logs from consuming disk space:

sudo nano /etc/logrotate.d/fail2ban
/var/log/fail2ban.log {
    weekly
    missingok
    rotate 4
    compress
    notifempty
    create 644 root root
    postrotate
        /usr/bin/fail2ban-client reload > /dev/null 2>&1 || true
    endscript
}

Monitor attack patterns by analyzing logs:

sudo grep "Ban" /var/log/fail2ban.log | tail -20

This server hardening guide pairs well with our Ubuntu Server Initial Setup Tutorial for comprehensive server security.

Frequently Asked Questions

Does Fail2ban slow down my Ubuntu VPS?

Fail2ban has minimal performance impact, typically using less than 50MB RAM. CPU overhead is negligible since it only processes log entries when they're written.

Can I whitelist my IP address permanently?

Yes, add your IP to the ignoreip setting in the [DEFAULT] section of jail.local. Use CIDR notation for IP ranges like 192.168.1.0/24.

What happens if I get locked out of SSH?

You can access your server through the VPS console in your hosting control panel. You can also contact support to remove the ban. This is why setting up ignoreip is crucial.

How long do IP bans last by default?

Default ban time is typically 10 minutes (600 seconds). This guide sets it to 1 hour for better protection. You can adjust bantime in each jail configuration.

Can Fail2ban protect against DDoS attacks?

Fail2ban helps with small-scale attacks but isn't sufficient for large DDoS attacks. For high-traffic protection, consider DDoS mitigation services or hardware solutions.

Hostperl Dedicated Servers Ad

Featured Category

All Categories

Latest Chapters