How to Set Up Fail2ban for Complete SSH Protection on Ubuntu 24.04 (2025)

YOUSSEF MOSSTAKIM
How to Set Up Fail2ban for Complete SSH Protection on Ubuntu 24.04 (2025)
How to Set Up Fail2ban for Complete SSH Protection on Ubuntu 24.04 (2025)

How to Set Up Fail2ban for Complete SSH Protection on Ubuntu 24.04 (2025)

If you have a Linux server with an SSH port open to the internet, it is not a question of *if* it will be attacked, but *when*. Within minutes of your server going online, automated bots from around the world will begin hammering your SSH port, attempting to guess your password in a relentless brute-force attack. While a strong password and SSH key authentication are essential, a powerful first line of defense is to automatically block these malicious actors before they can cause trouble. This is where Fail2ban excels. This guide will provide a step-by-step walkthrough of how to install and configure Fail2ban on Ubuntu 24.04 for complete SSH protection.

What is Fail2ban and How Does It Work?

Fail2ban is an intrusion prevention framework that operates by monitoring log files for malicious activity. Its concept is simple but brilliant:

  1. It actively scans log files (like `/var/log/auth.log` for SSH).
  2. It uses patterns (called "filters") to identify repeated failed login attempts from the same IP address.
  3. When an IP address exceeds a configured number of failures, Fail2ban triggers an "action."
  4. The default action is to use the system's firewall (UFW on Ubuntu) to create a new rule that temporarily bans the attacker's IP address.

In short, it's an automated security guard that blocks attackers after they've shown their malicious intent, but before they can do any real damage.

Step 1: Installation and Enabling the Service

Getting Fail2ban on your Ubuntu 24.04 server is incredibly easy. Open your terminal and run the following commands:

sudo apt update
sudo apt install fail2ban

Once the installation is complete, the Fail2ban service will start automatically and, by default, it is already configured to monitor your SSH logs. To ensure the service is running and will start on boot, you can use:

sudo systemctl status fail2ban
sudo systemctl enable fail2ban

Step 2: The Golden Rule - Create a `jail.local` Configuration

This is the most important step for any custom configuration. You should **NEVER** edit the default `jail.conf` file. This file can be overwritten by future package updates, which would erase all of your custom settings. Instead, you create a local override file called `jail.local`.

Copy the default configuration to a new local file with this command:

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Now, all of your custom changes will be made safely in `jail.local`.

Step 3: Customizing Your SSH Jail

Open your new local configuration file with a text editor like nano:

sudo nano /etc/fail2ban/jail.local

Scroll down until you find the `[sshd]` section. This is the "jail" that specifically handles SSH. While the default settings work, you can "harden" them for better protection. You can override the default settings by adding them directly under the `[sshd]` heading. A good hardened configuration looks like this:

[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
findtime = 5m
bantime = 1d
  • `maxretry = 3`: This will ban an IP address after only 3 failed login attempts.
  • `findtime = 5m`: The failures must occur within a 5-minute window to trigger a ban.
  • `bantime = 1d`: This is a major improvement. Instead of the default 10 minutes, this will ban a malicious IP for an entire day (1 day).

Also, it is critical to whitelist your own IP addresses so you don't accidentally ban yourself. Find the `ignoreip` line in the `[DEFAULT]` section at the top of the file and add your home or office static IP address.

ignoreip = 127.0.0.1/8 ::1 YOUR_IP_HERE

After saving your changes (`Ctrl+X`, then `Y`, then `Enter`), restart Fail2ban for the new rules to take effect:

sudo systemctl restart fail2ban

Step 4: Monitoring and Managing Your Jail

You can check the status of your SSH jail to see if any IPs have been banned using the `fail2ban-client`.

sudo fail2ban-client status sshd

This will show you a list of currently banned IP addresses. If you ever need to manually unban an IP address (for example, if you locked yourself out), you can use the following command:

sudo fail2ban-client set sshd unbanip THE_IP_ADDRESS

Conclusion: Your Automated SSH Guardian

Fail2ban is an elegant and powerful tool that serves as an essential first line of defense for any internet-facing Linux server. By automatically identifying and blocking the relentless noise of brute-force attacks, it hardens your server's security and provides you with peace of mind. By following this guide, you have successfully deployed an automated guardian for your SSH port, allowing you to focus on more important administrative tasks.