Copy · paste · reload
Fail2ban configs you can actually paste.
A library of ready-to-use jail.local blocks and filter rules for SSH, Nginx,
Apache, mail servers and WordPress — copy the block, reload Fail2ban, done. Every recipe says exactly
where each line goes and how to confirm it works.
15 recipes
- Basics Fail2ban bantime, findtime & maxretry Explained (with Examples) What the three core settings actually do, how they interact, and copy-paste values for lenient, normal and strict jails — plus exponential bans.
- Basics How to Set Up jail.local in Fail2ban (the Right Way) Why you edit jail.local (not jail.conf), a minimal working config, how to enable a jail, and how to reload. Copy-paste.
- Basics How to Switch Fail2ban to nftables (banaction) Use the nftables banaction instead of iptables on modern distros, set it globally, and verify the ban set. Copy-paste.
- Basics How to Test a Fail2ban Filter Before Enabling It (fail2ban-regex) Use fail2ban-regex to check a filter matches your real log lines — and counts the right IPs — before you enable the jail. Copy-paste.
- Basics How to Unban an IP in Fail2ban (and See Who's Banned) List banned IPs with fail2ban-client status and unban one — or all — without restarting the service. Copy-paste.
- Basics How to Whitelist Your IP in Fail2ban (ignoreip) Stop Fail2ban from banning your own IP, office subnet, or monitoring server using ignoreip — global or per-jail. Copy-paste.
- SSH How to Protect SSH with Fail2ban (sshd jail) A complete, copy-paste sshd jail for Fail2ban — strict retries, longer bans for repeat bots, and how to confirm it's working.
- SSH Fail2ban for SSH on systemd journald (no /var/log/auth.log) On Debian 12, Ubuntu 22.04+ and Fedora there's no auth.log — fix the sshd jail by reading the systemd journal with backend = systemd. Copy-paste.
- Nginx Block Bad Bots & 404 Scanners with Fail2ban (nginx-botsearch) Ban IPs that hammer your Nginx site probing for /wp-admin, /.env, phpMyAdmin and other missing paths, using the nginx-botsearch filter. Copy-paste.
- Nginx Fail2ban Jail for Nginx HTTP Basic Auth (nginx-http-auth) Ban IPs that brute-force an Nginx Basic Auth prompt using the built-in nginx-http-auth filter. Copy-paste jail.
- Nginx Rate-limit Abusers with Fail2ban + Nginx limit_req (nginx-limit-req) Combine Nginx's limit_req with the nginx-limit-req Fail2ban filter to ban IPs that keep tripping your rate limit. Copy-paste.
- Apache Fail2ban Jails for Apache: Auth & Bad Bots Copy-paste Apache jails for Fail2ban — ban Basic Auth brute force, bad bots, and noscript probes using the built-in apache-* filters.
- Mail Fail2ban for Postfix & Dovecot (stop SMTP/IMAP brute force) Copy-paste Fail2ban jails for a mail server — Postfix SMTP, Postfix SASL, and Dovecot IMAP/POP3 brute-force protection.
- Apps Fail2ban for WordPress Login & XML-RPC (custom filter) Ban IPs brute-forcing wp-login.php and xmlrpc.php. Two ways: a custom access-log filter, or the WP fail2ban plugin. Copy-paste.
- Advanced Fail2ban recidive: Ban Repeat Offenders for Much Longer The recidive jail watches fail2ban's own log and re-bans IPs that keep getting banned — for a week or more, on all ports. Copy-paste.
Why this exists
Fail2ban answers are scattered. The config you need isn't.
Search for a single jail — Nginx bad-bot blocking, a WordPress login filter, the right
banaction for nftables — and you land on a six-year-old blog post, a Reddit thread,
or a gist with no context. fail2ban-recipes.pages.dev collects the configs that
actually work into one place: each recipe is a focused, copy-paste answer to one real task, with
the exact file path, the reload command, and how to verify the jail is catching attempts.
How it works
Find the jail, paste it, reload
- Pick a recipe. Browse the cards above or the full recipe list, grouped by service.
- Copy the exact block. Every config block has a one-click copy button — no retyping, no guessing the directive names.
- Reload and verify. Each recipe ends with the
fail2ban-clientcommand to confirm the jail is active and banning.
FAQ
Frequently asked questions
Are these Fail2ban configs free?
Yes. Every recipe on fail2ban-recipes.pages.dev is free to read and copy, with no account, paywall, or sign-up. Some outbound links (for example to VPS or hosting providers) may be affiliate links, which never change the price you pay.
Where do I paste these configs?
Jail definitions go in /etc/fail2ban/jail.local (never edit jail.conf — it is overwritten on upgrade). Custom filters go in /etc/fail2ban/filter.d/<name>.conf. After any change, reload with "sudo fail2ban-client reload". The Basics recipes walk through this.
Will Fail2ban lock me out of my own server?
It can if you trip your own jail (e.g. a few failed SSH logins). Always whitelist your own IP with ignoreip before enabling jails, and keep a second console open. There is a dedicated recipe for whitelisting and for unbanning an IP.
My distro has no /var/log/auth.log — do these still work?
Yes. On systemd distros (Debian 12, Ubuntu 22.04+, Fedora, etc.) logs live in the journal, not /var/log/auth.log. Set backend = systemd on the jail — the "Fail2ban on systemd journald" recipe covers this exactly.
iptables or nftables?
Both work. Modern distros default to nftables; older ones use iptables. Each recipe notes the banaction to use, and there is a dedicated recipe for switching Fail2ban to the nftables banaction.
How do I know a jail is actually working?
Run "sudo fail2ban-client status" to list active jails and "sudo fail2ban-client status <jail>" to see banned IPs and matched lines. Before enabling, test your filter against a real log with fail2ban-regex — both are covered in the Basics recipes.