Fail2Ban is an intrusion prevention framework written in the Python programming language. It works by reading SSH, ProFTP, Apache logs etc.. and uses iptables profiles to block brute-force attempts.


To install fail2ban, type the following in the terminal:

sudo apt-get install fail2ban 


To configure fail2ban, make a 'local' copy the jail.conf file in /etc/fail2ban

cd /etc/fail2ban
sudo cp jail.conf jail.local 

Now edit the file:

sudo nano jail.local 

Set the IPs you want fail2ban to ignore, the ban time (in seconds) and maximum number of user attempts to your liking:

# "ignoreip" can be an IP address, a CIDR mask or a DNS host
ignoreip =
bantime  = 3600
maxretry = 3 

Email Notification

Note: You will need sendmail or any other MTA to do this.

If you wish to be notified of bans by email, modify this line with your email address:

destemail = 

Then find the line:

action = %(action_)s 

and change it to

action = %(action_mw)s 

Jail Configuration

Jails are the rules which fail2ban apply to a given application/log:


enabled = true
port    = ssh
filter  = sshd
logpath  = /var/log/auth.log
maxretry = 3 

To enable the other profiles, such as [ssh-ddos], make sure the first line beneath it reads:

enabled = true 

Once done, restart fail2ban to put those settings into effect

sudo /etc/init.d/fail2ban restart 

Advanced: Filters

If you wish to tweak or add log filters, you can find them in



To test fail2ban, look at iptable rules:

sudo iptables -L 

Attempt to login to a service that fail2ban is monitoring (preferably from another machine) and look at the iptable rules again to see if that IP source gets added.

External Links


Remarks (Robert van Reems): To test fail2ban on Ubuntu 12.04 server edition a reboot is required. Restarting or reloading the service didn't work.

Fail2ban (last edited 2013-03-28 02:46:15 by mfisch)