Fail2ban Installation and Configuration Guide for VPS

A comprehensive guide to secure your VPS with fail2ban, an intrusion prevention software that protects against brute-force attacks.

Prerequisites

Ubuntu/Debian-based VPS with root or sudo access
SSH access to your server
A firewall (iptables or ufw) installed

Installation

sudo apt update
sudo apt install fail2ban -y

Enable fail2ban to start on boot:

sudo systemctl enable fail2ban
sudo systemctl start fail2ban

Configuration

Fail2ban uses a hierarchy of configuration files. Never modify jail.conf directly as it may be overwritten during updates. Instead, create a jail.local file for your customizations.

Basic Configuration

Create your local configuration file:

sudo tee /etc/fail2ban/jail.local << 'EOF'
[DEFAULT]
# Ban duration (1 hour)
bantime = 1h

# Time window for counting failures
findtime = 10m

# Number of failures before ban
maxretry = 3

# Progressive ban times for repeat offenders
bantime.increment = true
bantime.factor = 2
bantime.maxtime = 1w

# Ignore localhost
ignoreip = 127.0.0.1/8 ::1

[sshd]
enabled = true
mode = aggressive
port = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s
EOF

Restart fail2ban to apply changes:

sudo systemctl restart fail2ban

Configuration Options Explained

Option	Description	Recommended Value
`bantime`	Duration of the ban	1h to 24h
`findtime`	Time window for counting failures	10m
`maxretry`	Failures allowed before ban	3-5
`ignoreip`	IPs that should never be banned	Your static IP, localhost
`mode`	Filter aggressiveness (normal, ddos, extra, aggressive)	aggressive for SSH

Progressive Ban Configuration

For repeat offenders, enable progressive banning:

[DEFAULT]
bantime.increment = true
bantime.factor = 2
bantime.maxtime = 1w

This configuration doubles the ban time for each subsequent offense, up to a maximum of one week.

Protecting Additional Services

Traefik (Reverse Proxy)

[traefik-auth]
enabled = true
port = http,https
logpath = /var/log/traefik/access.log
maxretry = 5

Nginx

[nginx-http-auth]
enabled = true
port = http,https
logpath = %(nginx_error_log)s

[nginx-botsearch]
enabled = true
port = http,https
logpath = %(nginx_error_log)s

Apache

[apache-auth]
enabled = true
port = http,https
logpath = %(apache_error_log)s

[apache-badbots]
enabled = true
port = http,https
logpath = %(apache_access_log)s
bantime = 48h
maxretry = 1

Postfix (Mail Server)

[postfix]
enabled = true
mode = more
port = smtp,465,submission
logpath = %(postfix_log)s

[postfix-sasl]
enabled = true
port = smtp,465,submission,imap,imaps,pop3,pop3s
logpath = %(postfix_log)s

Recidive (Ban Repeat Offenders Across All Jails)

[recidive]
enabled = true
logpath = /var/log/fail2ban.log
banaction = %(banaction_allports)s
bantime = 1w
findtime = 1d
maxretry = 5

Management Commands

Check Status

# Overall fail2ban status
sudo fail2ban-client status

# Status of a specific jail
sudo fail2ban-client status sshd

View Banned IPs

sudo fail2ban-client status sshd | grep "Banned IP"

Manually Ban/Unban an IP

# Ban an IP
sudo fail2ban-client set sshd banip 192.168.1.100

# Unban an IP
sudo fail2ban-client set sshd unbanip 192.168.1.100

View Logs

# Real-time monitoring
sudo tail -f /var/log/fail2ban.log

# View recent bans
sudo grep "Ban" /var/log/fail2ban.log | tail -20

Test Configuration

# Check for syntax errors
sudo fail2ban-client -t

# Reload configuration
sudo systemctl reload fail2ban

Troubleshooting

Verify Jail is Active

sudo fail2ban-client status

Check Filter Regex

Test if the filter matches your log format:

sudo fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/sshd.conf

View iptables Rules Created by Fail2ban

sudo iptables -L -n | grep -A 10 f2b

Common Issues

Fail2ban not banning IPs:

Verify the log path is correct
Check if the filter regex matches your log format
Ensure the jail is enabled

IPs getting banned too quickly:

Increase maxretry value
Add your IP to ignoreip

Fail2ban not starting:

Check for syntax errors: sudo fail2ban-client -t
Review logs: sudo journalctl -u fail2ban

Security Best Practices

Whitelist your IP: Add your static IP to ignoreip to avoid locking yourself out
Use aggressive mode for SSH: The aggressive mode catches more attack patterns
Enable recidive jail: Permanently ban repeat offenders
Monitor logs regularly: Set up log rotation and monitoring
Combine with other security measures: Use fail2ban alongside SSH key authentication, firewall rules, and regular updates

Complete Example Configuration

Here's a production-ready jail.local for a typical VPS:

[DEFAULT]
bantime = 1h
findtime = 10m
maxretry = 3
bantime.increment = true
bantime.factor = 2
bantime.maxtime = 1w
ignoreip = 127.0.0.1/8 ::1

# Email notifications (optional)
# destemail = admin@example.com
# sender = fail2ban@example.com
# action = %(action_mwl)s

[sshd]
enabled = true
mode = aggressive
port = ssh
maxretry = 3

[recidive]
enabled = true
logpath = /var/log/fail2ban.log
banaction = %(banaction_allports)s
bantime = 1w
findtime = 1d
maxretry = 3

References

Fail2ban Official Documentation
Fail2ban GitHub Repository
Filter configurations: /etc/fail2ban/filter.d/
Action configurations: /etc/fail2ban/action.d/

Prerequisites​

Installation​

Configuration​

Basic Configuration​

Configuration Options Explained​

Progressive Ban Configuration​

Protecting Additional Services​

Traefik (Reverse Proxy)​

Nginx​

Apache​

Postfix (Mail Server)​

Recidive (Ban Repeat Offenders Across All Jails)​

Management Commands​

Check Status​

View Banned IPs​

Manually Ban/Unban an IP​

View Logs​

Test Configuration​

Troubleshooting​

Verify Jail is Active​

Check Filter Regex​

View iptables Rules Created by Fail2ban​

Common Issues​

Security Best Practices​

Complete Example Configuration​

References​