Table of Contents

Fail2Ban Setup Guide (Complete & Permanent Ban Configuration)

This page contains both the full Fail2Ban setup guide and the permanent-ban configuration merged into one DokuWiki-ready document.

Fail2Ban Overview

Fail2Ban protects your server from brute‑force attacks by scanning logs and banning malicious IP addresses. It can protect SSH, Nginx, Apache, FTP, and more.

1. Install Fail2Ban

Update packages: 

sudo apt update && sudo apt upgrade -y

Install Fail2Ban: 

sudo apt install fail2ban -y

Enable service: 

sudo systemctl enable fail2ban
sudo systemctl start fail2ban

Check status: 

sudo systemctl status fail2ban

2. Fail2Ban Configuration Files

Never edit /etc/fail2ban/jail.conf directly.

Create a local override: 

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Open the file: 

sudo nano /etc/fail2ban/jail.local
[DEFAULT]
bantime  = 1h
findtime = 10m
maxretry = 5
backend  = systemd
ignoreip = 127.0.0.1/8

Whitelist your own IP: 

ignoreip = 127.0.0.1/8 add space then another ip

4. Permanent Ban Configuration (Forever Ban)

To enable a permanent ban unless manually unbanned, set: 

[DEFAULT]
bantime = -1
findtime = 10m
maxretry = 3
backend = systemd

This applies globally.

Permanent Ban for SSH Only

[sshd]
enabled = true
bantime = -1
maxretry = 3

5. Enable SSH Protection

[sshd]
enabled = true
port    = ssh
logpath = %(sshd_log)s

Restart Fail2Ban: 

sudo systemctl restart fail2ban

Check jail: 

sudo fail2ban-client status sshd

6. Enable Nginx Protection (Optional)

[nginx-http-auth]
enabled = true

[nginx-botsearch]
enabled = true

Restart: 

sudo systemctl restart fail2ban

7. View & Manage Bans

Show banned IPs: 

sudo fail2ban-client status sshd

Unban an IP: 

sudo fail2ban-client set sshd unbanip <IP_ADDRESS>

Example: 

sudo fail2ban-client set sshd unbanip 192.168.1.50

Ban an IP manually: 

sudo fail2ban-client set sshd banip <IP_ADDRESS>

View logs: 

sudo tail -f /var/log/fail2ban.log

8. Custom Ban Times (Optional)

Permanent ban: 

bantime = -1

Longer ban: 

bantime  = 24h
findtime = 15m
maxretry = 3

9. Log Locations

10. Useful Commands

Restart: 

sudo systemctl restart fail2ban

Reload rules: 

sudo fail2ban-client reload

Debug mode: 

sudo fail2ban-client -d

Show all jails: 

sudo fail2ban-client status

11. Fail2Ban + UFW (Optional)

Allow SSH: 

sudo ufw allow ssh
sudo ufw enable

Restart: 

sudo systemctl restart fail2ban

12. Troubleshooting

Fail2Ban not banning anything 

sudo tail -f /var/log/fail2ban.log
backend = systemd
sudo systemctl restart fail2ban

SSH jail inactive 

sudo fail2ban-client status sshd

Nginx jail not working

Done

Fail2Ban is now fully configured with: