How to Set Up jail.local in Fail2ban (the Right Way)

Fail2ban ships its defaults in /etc/fail2ban/jail.conf. Never edit that file — it’s overwritten every time the package updates. All your changes belong in jail.local, which overrides jail.conf key by key.

1. Create jail.local

sudo nano /etc/fail2ban/jail.local

2. A minimal, safe starting config

This sets sane global defaults, whitelists your own networks, and enables the SSH jail:

[DEFAULT]
# Never ban these (add YOUR IP / subnet here so you can't lock yourself out)
ignoreip = 127.0.0.1/8 ::1 192.168.0.0/16

# Count failures within 10 min; ban for 1 hour after 5 of them
findtime = 10m
maxretry = 5
bantime  = 1h

# Longer ban each time an IP re-offends
bantime.increment = true

[sshd]
enabled = true

Only jails with enabled = true are active. You enable a jail in jail.local even though its filter and defaults are defined in jail.conf.

3. Reload and verify

sudo fail2ban-client reload
sudo fail2ban-client status

You should see sshd under “Jail list”. Check a single jail:

sudo fail2ban-client status sshd

That prints how many failures it has seen and which IPs are currently banned.

Where things live: global + per-jail settings → /etc/fail2ban/jail.local; custom filters → /etc/fail2ban/filter.d/<name>.conf; actions → /etc/fail2ban/action.d/. Drop-in fragments can also go in /etc/fail2ban/jail.d/*.conf if you prefer one file per jail.