Guides

How to Set Up a Fail2Ban Firewall on Your Linux VPS

By NATBox Team March 27, 2026 Fail2Ban ยท security ยท firewall ยท vps security

The moment your VPS gets a public IP, bots start scanning for open SSH ports and trying common username/password combinations. This is background noise on the internet โ€” it never stops. Fail2ban watches your logs and automatically bans IPs after a configurable number of failed attempts.

Install Fail2ban

apt update && apt install -y fail2ban

It starts automatically after install. By default it watches SSH and bans IPs for 10 minutes after 5 failed attempts within 10 minutes.

Create a local config

Never edit /etc/fail2ban/jail.conf directly โ€” it gets overwritten on updates. Create a local override instead:

nano /etc/fail2ban/jail.local [DEFAULT] bantime = 1h findtime = 10m maxretry = 3 ignoreip = 127.0.0.1/8 [sshd] enabled = true port = YOUR_SSH_PORT logpath = /var/log/auth.log maxretry = 3

Change YOUR_SSH_PORT to your actual SSH port (your first assigned port on a NAT VPS).

Restart and check status

systemctl restart fail2ban fail2ban-client status fail2ban-client status sshd

The status sshd command shows you currently banned IPs and total bans since start.

Useful commands

# Unban an IP (if you accidentally lock yourself out) fail2ban-client set sshd unbanip 1.2.3.4 # Check the Fail2ban log tail -f /var/log/fail2ban.log # List all currently banned IPs fail2ban-client banned

Protecting other services

Fail2ban works with any service that writes failed-auth events to a log. Common jails to enable:

  • nginx-http-auth โ€” bans IPs that fail HTTP basic auth
  • nginx-botsearch โ€” bans IPs scanning for common exploit paths
  • recidive โ€” bans repeat offenders for 1 week instead of 1 hour
[recidive] enabled = true logpath = /var/log/fail2ban.log banaction = iptables-allports bantime = 1w findtime = 1d maxretry = 5

Do I still need this with SSH key auth?

If you've already switched to SSH key authentication and disabled password login, brute-force attempts will always fail regardless. Fail2ban is still useful to reduce log noise, block scanners from hammering other services, and prevent your server from showing up as a soft target in internet scanners. It takes five minutes to set up and runs silently in the background.