Debian Tutorials

Debian Tutorials

Step by step tutorials showing you how to install and configure various applications and services on Debian based Linux distros.

May 2024


Prevent brute force attacks using fail2ban

Ástþór IPÁstþór IP

fail2ban monitors log files such as /var/log/auth.log and /var/log/apache/access.log and temporarily or persistently bans failure-prone addresses by updating existing firewall rules. Currently, by default, fail2ban supports ssh/apache/vsftpd but configuration can be easily extended for monitoring any other ASCII file.

1. Install fail2ban

apt-get install fail2ban

2. Test by connecting via ssh and making three incorrect password attempts. By default fail2ban blocks the IP address for 10 minutes.

You can tail the fail2ban log file to monitor actions:

tail -f /var/log/fail2ban.log

Sample results

2010-06-21 22:27:58,953 fail2ban.jail : INFO Jail 'ssh' started
2010-06-21 22:29:36,430 fail2ban.actions: WARNING [ssh] Ban

3. (optional) Specify a list of IP addresses ignored by fail2ban. This can be useful to avoid getting locked out (pico /etc/fail2ban/jail.conf)

ignoreip =

Modify the ignoreip property and type a list of IP addresses or networks seperated by a space.

4. Restart fail2ban (only required if you modified the ignoreip property)

/etc/init.d/fail2ban restart

Comments 5
  • steve
    Posted on

    steve steve


    How about going a little further and showing how to permanently allow an IP so we will be able to ssh to the box and not lock ourself out?

  • aip
    Posted on

    aip aip


    Good point steve. I’ve modified the tutorial to show how to do this.

  • Peter
    Posted on

    Peter Peter


    It’s also quite easy to write your own rules if you’re familiar with Posix regular expressions. This guide ( ) got me started and I wrote a bunch of custom rules to fit my needs.

  • Jeff
    Posted on

    Jeff Jeff


    You should make those changes in jail.local instead of jail.conf. If you update fail2ban it will overwrite the jail.conf with the risk of locking yourself out if something went wrong, because fail2ban isn’t configured with your ignorelist anymore.

  • Hervé
    Posted on

    Hervé Hervé


    It is safer to copy the file /etc/fail2ban/jail.conf to /etc/fail2ban/jail.local and modify the latter.
    By doing this way, you can install new versions of configuration files without losing your changes.