How to Protect SSH With Fail2Ban on Debian 12

Fail2Ban is an intrusion prevention framework written in the Python programming language. It works by reading SSH, ProFTP, Apache logs, etc. And uses iptables profiles to block brute-force attempts.

Installing Fail2ban package

Check for system updates and install it.

apt update -y

apt upgrade -y

Install fail2ban using below command,

apt install fail2ban -y


root@vps:~# apt install fail2ban -y
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following additional packages will be installed:
  python3-pyinotify python3-systemd whois
Suggested packages:
  mailx monit sqlite3 python-pyinotify-doc
The following NEW packages will be installed:
  fail2ban python3-pyinotify python3-systemd whois

Enable fail2ban, run the following command.

systemctl enable fail2ban


root@vps:~# systemctl enable fail2ban
Synchronizing state of fail2ban.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install enable fail2ban

Check the status of the service, run the following command.

systemctl status fail2ban


root@vps:~# systemctl status fail2ban
● fail2ban.service - Fail2Ban Service
     Loaded: loaded (/lib/systemd/system/fail2ban.service; enabled; preset: enabled)
     Active: active (running) since Wed 2023-06-14 19:45:30 UTC; 1min 4s ago
       Docs: man:fail2ban(1)
   Main PID: 934 (fail2ban-server)
      Tasks: 5 (limit: 4652)
     Memory: 18.7M
        CPU: 546ms
     CGroup: /system.slice/fail2ban.service
             └─934 /usr/bin/python3 /usr/bin/fail2ban-server -xf start

Configuring Fail2ban

Jail.conf contains a section in which Configuration settings can be done for the fail2ban, we are not going to edit this file because package upgrade can overwrite this file.

Jail.local contains same sections where "jail.conf" file contains and it can override these values.

Command to create a jail.local configuration file by copying the default jail.conf file.

cp /etc/fail2ban/jail.{conf,local}

Open file to configure.

nano /etc/fail2ban/jail.local

Whitelisting IP addresses

Find the following line in the config file /etc/fail2ban/jail.local and uncomment it to whitelist the IP address.

ignoreip = ::1 

Once you uncomment it, add the your IP address at the last of command For ex.

ignoreip = ::1 <Your IP address here>

IPs are separated by a single white space, for example, ignoreip = ::1

Ban settings

3 main options in these settings,

  • bantime: is the number of sec/hours/day that an IP address is banned.
  • findtime: is the window that fail2ban will pay attention to when looking for repeated failed authentication attempts.
  • maxretry: is the maximum try which will be given before blocking.

Find these lines in the config file /etc/fail2ban/jail.local and change as you required.

Default values of the option are,

bantime  = 10m

findtime  = 10m

maxretry = 5

Note: If you want to block IP address permanently use negative value in bantime option.

Get e-mail notifications

Note: To receive email alerts, you need to have an SMTP installed on your server.

To receive email alerts with relevant logs, find the following line in the config file /etc/fail2ban/jail.local and make sure that the following line is present.

# ban & send an e-mail with whois report and relevant log lines
# to the destemail.
  action_mwl = %(action_)s
               %(mta)s-whois-lines[sender="%(sender)s", dest="%(destemail)s", logpath="%(logpath)s", chain="%(chain)s"]

Configure sending and receiving email addresses.

Find the following line in the config file /etc/fail2ban/jail.local and update the details.


destemail =

sender =

Change the destemail,sender email with actual email address

Fail2ban Client

Now, interact with the Fail2ban service there is a command-line tool called fail2ban-client.

Check its available options enter the following command.

fail2ban-client -h

Here is a few examples that can be performed by using this tool,

Check the jail status.

fail2ban-client status sshd

To unban an IP.

fail2ban-client set sshd unbanip "IP address here"

To Ban an IP.

fail2ban-client set sshd banip "IP address here"