Skip to main content

Install and Configure Fail2Ban for SSH on Debian

Fail2Ban is a vital security tool for Linux servers, particularly useful in protecting SSH services against brute-force attacks. It monitors service logs for malicious activity and bans offending IPs for a specified duration.

Installing Fail2Ban

Fail2Ban is included in Debian’s default repositories, making it easy to install:

  1. Update your package listings:

    sudo apt update
  2. Install Fail2Ban:

    sudo apt install fail2ban

After installation, the Fail2Ban service starts automatically. Verify it with:

sudo systemctl status fail2ban

Configuring Fail2Ban

Configuration involves editing .local files that override the default .conf files:

  1. Create a .local Configuration File: Copy jail.conf to jail.local:

    sudo cp /etc/fail2ban/jail.{conf,local}
  2. Edit the jail.local File: Open the file:

    sudo nano /etc/fail2ban/jail.local

    Here, you can set various parameters.

Important Parameters

  1. Whitelisting IP Addresses: Add trusted IPs to the ignoreip directive:

    ignoreip = ::1 [Trusted IPs]
  2. Setting Ban Conditions

    • bantime: Duration to ban the IP (default is 10 minutes).
    • findtime: Time window in which failures must occur.
    • maxretry: Number of failures before banning.

    Example settings:

    bantime = 1d
    findtime = 10m
    maxretry = 5
  3. Email Notifications

    Configure to receive email alerts on banning events:

    action = %(action_mw)s
    destemail =
    sender =

Configuring SSH Jail

Fail2Ban uses 'jails' for each service. For SSH, enable and configure the SSH jail in jail.local:

enabled = true
maxretry = 5
findtime = 12h
bantime = 1d
ignoreip = [Other Trusted IPs]

Restarting Fail2Ban

After changes, restart Fail2Ban to apply:

sudo systemctl restart fail2ban

Using fail2ban-client

Manage Fail2Ban with fail2ban-client. Common commands include:

  • Checking server status: sudo fail2ban-client status
  • Unbanning an IP: sudo fail2ban-client set sshd unbanip [IP Address]

Explore more options with fail2ban-client -h.