How to Prevent SSH Brute-Force Attacks on Linux Using Fail2ban

What Is Fail2ban?

Fail2ban is an open-source intrusion prevention software that helps protect Linux servers from unauthorized access attempts. It is designed to scan log files, such as system logs or application logs, and identify suspicious or malicious activity, particularly repeated failed login attempts or other specified patterns. When such activity is detected, Fail2ban takes action by dynamically updating firewall rules to block the IP addresses associated with the suspicious activity, effectively preventing further unauthorized access. It works with most remote connection services such as SSH, FTP, SMTP, and HTTP.

Situations Where Fail2ban Can Be Beneficial

Protection against SSH Brute-Force Attacks: Fail2ban is effective in mitigating SSH brute-force attacks targeting protocols like SSH, FTP, or any other service that generates logs. It detects repeated failed login attempts from specific IP addresses and dynamically blocks those addresses, preventing further unauthorized login attempts.

Mitigating Password Guessing: Fail2ban helps in countering password guessing attacks where automated tools systematically try different username and password combinations to gain access. By recognizing and blocking IP addresses associated with such activity, Fail2ban reduces the chances of successful unauthorized access.

Enhanced Server Security: By continuously monitoring logs and enforcing dynamic firewall rules, Fail2ban enhances server security and protects against various types of malicious activities. It provides an additional layer of defense, complementing other security measures implemented on the server.

Prevention of Account Lockouts: Fail2ban can prevent legitimate user accounts from being locked out due to mistyped passwords or accidental login failures. It imposes temporary bans, allowing users to retry after a specific duration without permanently blocking them.

Automated Response to Security Threats: Fail2ban automates the process of detecting and responding to security threats. It scans logs, identifies suspicious patterns, and takes action by dynamically updating firewall rules. This automation saves time and reduces the workload on administrators.

Monitoring and Auditing: Fail2ban generates logs and reports on detected security events, providing valuable information for monitoring and auditing purposes. Administrators can review the logs to gain insights into potential security risks and take necessary corrective actions.

Customizable Security Policies: Fail2ban allows administrators to define custom rules and filters based on specific security policies and requirements. This flexibility enables organizations to tailor the protection to their unique environment and address specific threats they may face.

With Fail2ban, you can reduce the risk of security breaches by being proactive in securing your Linux servers or PCs.

How to Install Fail2ban on Linux Server

There are many Linux distributions available. In this tutorial, we will use Ubuntu as an example.

1. Install Fail2ban

After logging in to your Linux server, switch to the root account with the following command and input the password as prompted.

sudo -i
Install screen on Linux servers.

Then, install Fail2ban using the following command and enter y to continue the installation of the package.

apt install fail2ban
Install screen on Linux servers.

2. Start the Fail2ban Service

By enabling the service, the process will run in the background whenever your system boots.

systemctl enable fail2ban.service
Enable fail2ban service
Then, start the service with the command.
systemctl start fail2ban
Start fail2ban service
Next, check the status of the Fail2ban service by issuing the command. From the output, you can see the service is running. Finally, press "Ctrl" and "C" together to exit the status checking.
systemctl status fail2ban
Check the status of fail2ban service

3. Configure Fail2ban

The /etc/fail2ban/jail.conf file stores the main Fail2ban configurations. By issuing the following command, you can get the first 20 lines of the jail.conf file. The content mainly directs you not to modify this file but to create separate files within the jail.d/ directory or to provde customization in a jail.local file. The jail.conf file will be regularly updated alongside Fail2ban itself, serving as a reference for default settings in cases where you haven't made any custom modifications.

cd /etc/fail2ban
head -20 jail.conf
Enable fail2ban service

In this tutorial, we will create a jail.local file and provide customization in the file. We create the jail.local by copying the jail.conf. Issue the command below.

cd /etc/fail2ban && cp jail.conf jail.local
Start fail2ban service

From the output, you can see that a jail.local file is copied.
Next, we can start making customizations to the jail.local file with any text editor you prefer. In this tutorial, we use the nano editor. Run the command below to open the file.

nano jail.local
Use text editor to open the jail.local file

This file is composed of many sections that define settings for specific services. The settings under the DEFAULT header will be applied to all of the services supported by Fail2ban. Settings for other sections, such as sshd, contain service-specific settings that will apply over top of the defaults. When setting the specific values for a parameter, you can read the comment, which begins with # above each parameter, for reference.

For example, under the DEFAULT section, the bantime sets the length of time that a user will be banned when they have failed the authentication.
The maxretry parameter defines the max number of authentication failures a user can take within the findtime before they get banned.
For testing, we have set the values to 20m and 2 respectively.

Customize jail settings

Scrolling down the file, you can make changes to the settings that you'd like to customize. For example, you can enable the sshd jail by adding the "enabled = true" to the sshd section.

Enable SSHD jail

After the customization, press "Ctrl" and "X", followed by entering "y," and then, hit the enter key to save the changes. Lastly, restart the Fail2ban service by running the command below so the changes will take effect.

systemctl restart fail2ban
Restart fail2ban service

4. Test the Fail2ban Configurations

Now you can test if the maxretry configuration is working. Try to SSH login to the server you have configured. When prompted for login credentials, input wrong passwords. Fail2ban will block you for 20 minutes, as configured.

Authentication failures

You can check the logs of the Fail2ban service for more details.

cat /var/log/fail2ban.log
Check logs

The IP is banned for two authentication failures and gets unbanned after 20 minutes as configured.

Log details


Fail2ban is a powerful tool that can significantly enhance the security of your Linux system by preventing SSH brute-force attacks. By analyzing log files and automatically banning malicious IP addresses, Fail2ban serves as a reliable guardian against unauthorized access attempts. In this blog, we have explored the installation process and configuration options. You can start installing your Fail2ban and configure it to your needs to build a safer Linux server environment. Remember, staying proactive in safeguarding your system is crucial in today's digital landscape, and Fail2ban is an invaluable tool in your arsenal. So, take the necessary steps to protect your Linux system and keep potential attackers at bay.

While Fail2ban is a valuable tool for enhancing the security of your Linux server, it is not the sole solution for comprehensive security. In addition to implementing Fail2ban, you should also consider other measures to enhance the security of your Linux system, such as using strong passwords and Configuring a firewall.