What is a safe maxretry value for SSH?

A practical production baseline is 4 to 6 retries with a findtime of 10 minutes and a bantime of 1 to 2 hours.

Can Fail2Ban accidentally block my own IP?

Yes, if your login attempts fail repeatedly. Add trusted admin IP ranges to ignoreip and keep provider console access available.

Fail2Ban Setup on Ubuntu VPS (2026): Complete SSH Brute-Force Protection Guide

Q: Does Fail2Ban replace UFW?

No. UFW controls which ports are reachable. Fail2Ban dynamically blocks abusive IPs based on log patterns. Use both together.

What Is Fail2Ban and Why It Matters for VPS Security

Every public VPS gets scanned by bots within minutes. SSH is one of the first targets. Attackers cycle through common usernames and weak password combinations at high speed. Even if they fail, they still consume resources and increase risk over time.

Fail2Ban reads log files and detects repeated authentication failures. Once a threshold is reached, it inserts temporary ban rules for the offending IP. This dramatically reduces brute-force noise and protects your SSH service from repeated abuse.

Before You Start

Ubuntu VPS with sudo access (Ubuntu 22.04/24.04 are common production setups).
SSH already working with your admin user.
A firewall baseline in place. If not, follow this UFW setup guide first.
Provider emergency console access enabled in case of lockout.

Step 1: Install Fail2Ban on Ubuntu

sudo apt update
sudo apt install fail2ban -y
sudo systemctl enable fail2ban
sudo systemctl start fail2ban
sudo systemctl status fail2ban

If status shows active (running), installation is complete.

Step 2: Create a Safe `jail.local` Configuration

Do not edit /etc/fail2ban/jail.conf directly. Package updates can overwrite it. Keep all changes in jail.local.

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo nano /etc/fail2ban/jail.local

Recommended Global Defaults

[DEFAULT]
# Whitelist localhost + your trusted admin IPs
ignoreip = 127.0.0.1/8 ::1 203.0.113.10

# Ban for 2 hours after repeated failures
bantime = 2h
findtime = 10m
maxretry = 5

# Optional: send logs to systemd journal
backend = systemd

Use your real home/office/static IP in ignoreip. This single line prevents accidental lockout during repeated failed logins.

Step 3: Enable and Tune the SSH Jail

In the same file, ensure the sshd jail is enabled and tuned for your traffic profile:

[sshd]
enabled = true
port = ssh
logpath = %(sshd_log)s
maxretry = 4
findtime = 10m
bantime = 2h

If you changed SSH to a custom port, Fail2Ban still works because it reads log events, not port scans alone.

Step 4: Restart and Verify the Protection Is Active

sudo systemctl restart fail2ban
sudo fail2ban-client status
sudo fail2ban-client status sshd

You should see the sshd jail listed, with counters for currently failed and banned hosts.

Daily Fail2Ban Commands You Actually Need

# all jails
sudo fail2ban-client status

# details for SSH jail
sudo fail2ban-client status sshd

# unban a blocked IP
sudo fail2ban-client set sshd unbanip 198.51.100.25

# live log watching
sudo tail -f /var/log/fail2ban.log

Optional Advanced Jails (Nginx, WordPress, API Auth)

Beyond SSH, you can add jails for HTTP auth abuse and suspicious request patterns. This is useful for WordPress login brute-force or repeated API auth failures.

[nginx-http-auth]
enabled = true

[nginx-botsearch]
enabled = true
maxretry = 3
findtime = 10m
bantime = 1h

Enable only jails relevant to your stack to avoid false positives.

Best Practices for Long-Term Reliability

Use SSH keys and disable password authentication where possible.
Disable root SSH login and enforce non-root admin users.
Pair Fail2Ban with UFW allow-list rules and minimal open ports.
Review ban logs weekly and adjust maxretry/bantime based on behavior.
Keep Fail2Ban and OS packages updated automatically.

Common Fail2Ban Problems and Fixes

Fail2Ban running, but no bans happen

Usually this means wrong log path/backend. Confirm the jail points to active SSH logs and that backend = systemd is correct for your distro setup.

Too many false bans

Increase maxretry or shorten findtime. Also ensure trusted network ranges are in ignoreip.

You locked yourself out

Use cloud console, then remove ban and correct ignoreip:

sudo fail2ban-client set sshd unbanip YOUR_IP

FAQ

Does Fail2Ban replace UFW?

No. UFW controls open ports and default network policy. Fail2Ban reacts to abusive behavior by banning source IPs dynamically. Use both.

What is a good Fail2Ban config for small production VPS?

A strong baseline: maxretry=4, findtime=10m, bantime=2h, and SSH keys only.

Can I permanently ban attackers?

Yes, but temporary bans are often enough. For persistent offenders, add static firewall block rules separately.

Does Fail2Ban impact performance?

Impact is usually minimal on normal VPS workloads. The security benefit is much larger than the resource cost.

Conclusion

Fail2Ban is one of the highest-value security controls you can enable on a VPS in under 15 minutes. Combined with SSH key auth, least-privilege firewall rules, and regular updates, it significantly reduces real-world attack surface.

Continue with UFW firewall hardening, then follow the full VPS security checklist for a complete production setup.