You installed fail2ban. Your SSH port is open to the internet. But is fail2ban actually catching attacks? Or is it sitting there, disabled?
Scary question. Here’s how to find out.
Quick Health Check
sudo systemctl status fail2ban● fail2ban.service - Fail2Ban Service Loaded: loaded Active: active (running)OK, it’s running. But is it doing anything?
$ sudo fail2ban-client statusStatus|- Number of jail: 3`- Jail list: sshd, recidive, syslog-authGood. Three jails are active. One of them is sshd. Now the real question:
How Many IPs Are Banned?
$ sudo fail2ban-client status sshdStatus for the jail: sshd|- Filter| |- Currently failed: 2| |- Total failed: 1247| `- Journal matches: 3890`- Actions |- Currently banned: 5 |- Total banned: 247 `- IP list: 192.168.1.100 203.0.113.50 198.51.100.44 ...You’re banning people! 247 IPs have been blocked. 5 are currently banned.
If Currently banned: 0 and Total banned: 0, your jail isn’t catching anything. Time to debug.
Check a Specific Jail
$ sudo fail2ban-client status sshdShow the actual banned list:
$ sudo iptables -L -n | grep -i fail2banChain f2b-sshd (1 references)target PROT opt sourceDROP all -- 192.168.1.100 0.0.0.0/0DROP all -- 203.0.113.50 0.0.0.0/0These are the IPs that fail2ban blocked via iptables rules.
Check the Logs
fail2ban reads logs to find failed attempts. Verify it’s looking at the right file:
$ grep -i filter /etc/fail2ban/jail.local | head[sshd]enabled = truelogpath = /var/log/auth.logmaxretry = 5findtime = 600bantime = 3600That’s the config. logpath = /var/log/auth.log means it reads /var/log/auth.log for SSH failures.
Check if that file exists and has content:
$ tail -20 /var/log/auth.log | grep -i failedApr 6 10:30:14 server sshd[12345]: Failed password for invalid user admin from 192.168.1.100 port 55555 ssh2Apr 6 10:30:22 server sshd[12346]: Failed password for invalid user root from 203.0.113.50 port 55556 ssh2Good. Login attempts are happening. fail2ban should be catching them.
Check fail2ban’s log:
$ tail -50 /var/log/fail2ban.log | grep Ban2025-04-06 10:30:45,123 fail2ban.actions [12345]: NOTICE [sshd] Ban 192.168.1.1002025-04-06 10:31:45,456 fail2ban.actions [12346]: NOTICE [sshd] Ban 203.0.113.50If you see Ban lines, fail2ban is working.
Manual Test: Trigger a Ban
Try to SSH with a wrong password, repeatedly:
# From another machine or in a loopfor i in {1..10}; do ssh -o StrictHostKeyChecking=no user@target <<< "wrongpassword" 2>/dev/nulldoneCheck if you’re banned:
$ sudo fail2ban-client status sshd...`- IP list: YOUR_IP_HEREIf your IP appears, fail2ban is working.
Unban yourself:
$ sudo fail2ban-client set sshd unbanip YOUR_IPCommon Misconfiguration Issues
1. Jail Not Enabled
[sshd]enabled = false # ← OOPS
# Check:$ sudo fail2ban-client status# sshd won't appear in the jail listFix:
sudo sed -i 's/enabled = false/enabled = true/' /etc/fail2ban/jail.localsudo systemctl restart fail2ban2. Wrong Log Path
[sshd]logpath = /var/log/secure # ← Wrong on Ubuntu (uses /var/log/auth.log)Check your distro:
# Debian/Ubuntu/var/log/auth.log
# RHEL/CentOS/Fedora/var/log/secure3. maxretry Too High
[sshd]maxretry = 50 # ← Attacker gets 50 tries before ban. That's a lot.Recommended: 5-10. Set it:
[sshd]maxretry = 54. bantime Too Short
[sshd]bantime = 60 # ← Banned for only 60 seconds. Useless.Better:
[sshd]bantime = 3600 # 1 hour# orbantime = 86400 # 1 dayRestart After Config Changes
sudo systemctl restart fail2banVerify:
$ sudo fail2ban-client status sshdMonitor In Real-Time
Watch bans happen as they occur:
$ sudo tail -f /var/log/fail2ban.log | grep Ban2025-04-06 10:45:23,789 fail2ban.actions [9999]: NOTICE [sshd] Ban 192.0.2.502025-04-06 10:45:31,234 fail2ban.actions [9999]: NOTICE [sshd] Ban 198.51.100.66Or check every 10 seconds:
watch -n 10 'sudo fail2ban-client status sshd'Unban an IP (Legitimate User Locked Out)
$ sudo fail2ban-client set sshd unbanip 203.0.113.50Check it’s gone:
$ sudo fail2ban-client status sshd | grep IP`- IP list: 192.168.1.100 198.51.100.44# 203.0.113.50 is gonePrevent Accidentally Banning Yourself
If you’re managing the server over SSH, add your IP to whitelist:
[DEFAULT]ignoreip = 127.0.0.1/8 ::1 YOUR.HOME.IP.HERE
[sshd]enabled = truelogpath = /var/log/auth.logmaxretry = 5bantime = 3600findtime = 600Restart:
sudo systemctl restart fail2banNow your home IP never gets banned, no matter how many times you mistype your password.
Advanced: Email Alerts on Ban
Configure mail action:
[sshd]action = %(action_mwl)s # Mail + ban + whois lookupdestemail = admin@example.comsendername = fail2banmta = sendmail # or postfix, exim, etc.When someone gets banned, you get an email.
Recidive Jail (Repeat Offenders)
If an IP gets banned multiple times, ban them longer:
[recidive]enabled = truelogpath = /var/log/fail2ban.logaction = %(action_mwl)sbantime = 604800 # 7 daysfindtime = 604800maxretry = 5Now, if an IP is banned in sshd five times in a week, they get a 7-day ban.
Verify Your Rules Are Actually Working
Generate a test attempt:
ssh invaliduser@localhost <<< "wrongpass" 2>/dev/null &ssh invaliduser@localhost <<< "wrongpass" 2>/dev/null &ssh invaliduser@localhost <<< "wrongpass" 2>/dev/null &ssh invaliduser@localhost <<< "wrongpass" 2>/dev/null &ssh invaliduser@localhost <<< "wrongpass" 2>/dev/null &# (5+ attempts)
# Check ban$ sudo fail2ban-client status sshd | grep "Your.IP"If localhost appears, your filters are working.
Summary: The Checklist
- Service running:
systemctl status fail2ban - Jails active:
fail2ban-client status - IPs banned:
fail2ban-client status sshd - Correct log path: Check
/etc/fail2ban/jail.local - maxretry sane (5-10): Lower is stricter
- bantime sane (≥3600): Higher is stronger
- No typos in config:
fail2ban-client reload - Test manually: Failed logins should trigger a ban
If all boxes check, fail2ban is protecting you. If not, fix the config and test again.
Your 2 AM self—the one who’s about to get paged for a compromised SSH account—will be grateful.
