Protecting SSH from Brute Force on Debian and Ubuntu with Fail2Ban
/ 2 min read
Table of Contents
Every public server with an open port 22 is subjected to hundreds of password guessing attempts daily. To secure your system, you must limit login attempts and automatically block attackers.
Today, the standard utility for this task is Fail2Ban, which has replaced legacy solutions like DenyHosts.
Installing Fail2Ban
On Debian and Ubuntu, installation is done with a single command:
sudo apt update && sudo apt install fail2banAfter installation, the service will start automatically with default settings.
Configuring SSH Protection
It is not recommended to edit the main jail.conf file in Fail2Ban. Instead, create a local copy of the settings:
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.localsudo nano /etc/fail2ban/jail.localFind the [sshd] section and update it as follows:
[sshd]enabled = Trueport = sshlogpath = %(sshd_log)sbackend = %(sshd_backend)s
# Number of attempts before blockingmaxretry = 5
# Duration for which the IP is blocked (e.g., 1 hour)bantime = 1h
# Interval within which attempts are countedfindtime = 10mSave the file and restart the service:
sudo systemctl restart fail2banUseful Commands
How to check blocking status?
To see how many “hackers” have already been banned:
sudo fail2ban-client status sshdHow to unban your IP?
If you mistakenly blocked yourself (from another IP):
sudo fail2ban-client set sshd unbanip <your_IP_address>The Golden Rule of Security
Blocking attempts is good, but SSH key-based authentication with password login completely disabled is far more secure.
Learn how to create a modern and secure SSH key in our next article.