Protect SSH with Fail2ban

Fail2ban watches login logs and temporarily blocks IP addresses that fail authentication too often. It is a useful extra layer of protection for SSH.

Caution

Fail2ban does not replace strong passwords or SSH keys. It only slows down repeated login attempts.

Install Fail2ban

apt update
apt install fail2ban -y

Enable and start the service:

systemctl enable --now fail2ban

Check that it is running:

systemctl status fail2ban

Create a local SSH jail

Create a local configuration file:

nano /etc/fail2ban/jail.local

Add this basic SSH configuration:

[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 5
findtime = 10m
bantime = 1h

If your SSH port is not 22, replace port = ssh with your port:

port = 2222

Restart Fail2ban:

systemctl restart fail2ban

Check status

Show enabled jails:

fail2ban-client status

Show SSH jail details:

fail2ban-client status sshd

You will see how many IPs are currently banned and which IPs are listed.

Unban an IP address

If you accidentally ban yourself, use the hosting panel console or another trusted IP to run:

fail2ban-client set sshd unbanip <ip-address>

Example:

fail2ban-client set sshd unbanip 203.0.113.10