How To Protect SSH With Fail2Ban on Ubuntu 25.10

Fail2Ban is an intrusion prevention framework written in Python that monitors log files for suspicious activity such as repeated failed login attempts. It automatically updates firewall rules (using iptables or nftables) to block offending IPs and prevent brute-force attacks.

Update the System

Before installing, update your system packages:

apt update -y
apt upgrade -y

Install Fail2Ban

Install the Fail2Ban package using the following command:

apt install fail2ban -y

Output:

root@server:~# apt install fail2ban -y
Installing:
  fail2ban

Installing dependencies:
  python3-pyasyncore  python3-pyinotify  whois

Suggested packages:
  mailx  monit  sqlite3  python-pyinotify-doc

Summary:
  Upgrading: 0, Installing: 4, Removing: 0, Not Upgrading: 1
  Download size: 509 kB
  Space needed: 2,625 kB / 17.5 GB available

Enable and start the service:

systemctl enable fail2ban
systemctl start fail2ban

Check the status of Fail2Ban:

systemctl status fail2ban

Output:

root@server:~# systemctl status fail2ban
● fail2ban.service - Fail2Ban Service
     Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; enabled; preset:>
     Active: active (running) since Tue 2025-10-21 19:45:42 UTC; 1min 42s ago
 Invocation: 8aa94aaf6a934b998585bd4b6ac8ae2c
       Docs: man:fail2ban(1)
   Main PID: 9363 (fail2ban-server)
      Tasks: 5 (limit: 8799)
     Memory: 16M (peak: 17.3M)
        CPU: 713ms
     CGroup: /system.slice/fail2ban.service
             └─9363 /usr/bin/python3 /usr/bin/fail2ban-server -xf start

Oct 21 19:45:42 server systemd[1]: Started fail2ban.service - Fail2Ban Service.
Oct 21 19:45:42 server fail2ban-server[9363]: Server ready

Configure Fail2Ban

The default configuration file is /etc/fail2ban/jail.conf, but it's not recommended to edit it directly, as updates may overwrite your changes.
Instead, create a copy named jail.local:

cp /etc/fail2ban/jail.{conf,local}

Edit the new configuration file:

nano /etc/fail2ban/jail.local

Whitelist Trusted IPs

Locate the line:

#ignoreip = 127.0.0.1/8 ::1

Uncomment and add your trusted IP addresses:

ignoreip = 127.0.0.1/8 ::1 192.168.0.100 192.168.1.0/24

You can whitelist multiple IPs or an entire subnet using spaces between entries.

Adjust Ban Settings

You can fine-tune how Fail2Ban reacts to failed logins:

bantime  = 10m
findtime = 10m
maxretry = 5
  • bantime — Duration of the ban (use -1 for a permanent ban).
  • findtime — Time window for counting failed attempts.
  • maxretry — Number of failed attempts before banning.

Enable Email Alerts (Optional)

If you have an SMTP server configured, Fail2Ban can send email notifications when an IP is banned.

Ensure the following action line is enabled:

action_mwl = %(action_)s
             %(mta)s-whois-lines[sender="%(sender)s", dest="%(destemail)s", logpath="%(logpath)s", chain="%(chain)s"]

Then configure your email details:

destemail = admin@xyz.com
sender = root@xyz.com

Using fail2ban-client

The fail2ban-client command allows you to manage and query Fail2Ban.

Show all available options:

fail2ban-client -h

Check SSH jail status:

fail2ban-client status sshd

Unban a specific IP:

fail2ban-client set sshd unbanip 192.168.1.10

Ban a specific IP manually:

fail2ban-client set sshd banip 192.168.1.10

Conclusion

You have successfully installed and configured Fail2Ban on Ubuntu 25.10 to protect your SSH service from brute-force attacks.
Fail2Ban continuously monitors your logs and dynamically blocks malicious IPs, enhancing your server’s security with minimal effort.

CrownCloud - Get a SSD powered KVM VPS at $4.5/month!
Use the code WELCOME for 10% off!

1 GB RAM / 25 GB SSD / 1 CPU Core / 1 TB Bandwidth per month

Available Locations: LAX | MIA | ATL | FRA | AMS
Get Started Now!