Security Brute Force Advanced

Fail2Ban: block brute force attacks on servers

Fail2Ban blocks IP addresses after repeated failed login attempts. Configure for SSH, FTP, and WordPress.

UnderHost NOC Network Operations

10 min read Updated June 2026

On this page

What is Fail2Ban?
How it works
Install Fail2Ban
Configure jails
Check banned IPs

Fail2Ban monitors logs for repeated failed login attempts and automatically blocks the offending IP address. Prevents brute force attacks on SSH, FTP, and web applications.

How it works

Fail2Ban reads log files (auth.log, access.log, etc.)
Detects repeated failed login attempts from same IP
After threshold (default 5 attempts), bans the IP for set duration (default 10 mins)
Releases ban after timeout or admin action

Install Fail2Ban

apt-get install fail2ban
systemctl start fail2ban
systemctl enable fail2ban

Configure jails

Edit /etc/fail2ban/jail.local

[sshd]
enabled = true
port = ssh
logpath = /var/log/auth.log
maxretry = 5  # Ban after 5 failed attempts
findtime = 600  # Within 10 minutes
bantime = 3600  # Ban for 1 hour

[recidive]
enabled = true
bantime = 86400  # 1 day for repeat offenders

Check banned IPs

fail2ban-client status sshd  # View banned IPs
fail2ban-client set sshd unbanip 192.168.1.1  # Unban specific IP

Don't ban yourself

Test carefully - if you configure Fail2Ban wrong, you could lock yourself out. Use whitelist for trusted IPs.

Related: Firewall rules | Secure passwords

Was this article helpful?

Need security-focused hosting?

UnderHost services include DDoS-aware infrastructure, SSL support, account isolation, backups, and security guidance.

View Secure Hosting CustomerPanel

Chat with Winston. chat.underhost.com