Three settings decide when and how long Fail2ban bans an IP:

maxretry — how many failures are allowed.
findtime — the window those failures must happen within.
bantime — how long the ban then lasts.

Read together: “ban an IP for bantime once it racks up maxretry failures within findtime.”

Example: 5 failures in 10 minutes → 1 hour ban

[DEFAULT]
findtime = 10m
maxretry = 5
bantime  = 1h

Time units

You can use seconds or suffixes: m (minutes), h (hours), d (days), w (weeks). A bare number means seconds. bantime = -1 bans permanently.

Lenient / normal / strict presets

# Lenient (shared office IP, avoid false positives)
findtime = 10m
maxretry = 8
bantime  = 30m

# Normal (good default)
findtime = 10m
maxretry = 5
bantime  = 1h

# Strict (public SSH, lots of bots)
findtime = 10m
maxretry = 3
bantime  = 1d

Make repeat offenders hurt: exponential bans

Instead of the same ban every time, grow it on each re-offense:

[DEFAULT]
bantime           = 1h
bantime.increment = true
bantime.factor    = 2
bantime.maxtime   = 5w

Now a repeat IP gets 1h, then 2h, 4h, 8h… capped at 5 weeks. (For a separate, longer “banned-many-times” jail, see the recidive recipe.)

Per-jail override: put these in [DEFAULT] for global defaults, or inside a specific jail (e.g. [sshd]) to override just that one.

Fail2ban bantime, findtime & maxretry Explained (with Examples)

Example: 5 failures in 10 minutes → 1 hour ban

Time units

Lenient / normal / strict presets

Make repeat offenders hurt: exponential bans