$fail2ban·recipes

SSH

How to Protect SSH with Fail2ban (sshd jail)

3 min read

SSH is the most-attacked service on any public Linux box. The sshd filter is built in, so you just enable and tune the jail.

1. The jail

In /etc/fail2ban/jail.local:

[DEFAULT]
ignoreip = 127.0.0.1/8 ::1 203.0.113.7   # <-- your admin IP

[sshd]
enabled  = true
port     = ssh
filter   = sshd
maxretry = 3
findtime = 10m
bantime  = 1h
bantime.increment = true

Set port to your real SSH port if you moved it off 22, e.g. port = 2222.

2. Reload

sudo fail2ban-client reload

3. Confirm it’s active

sudo fail2ban-client status sshd

You’ll see total failures and the current Banned IP list. On a public server it usually starts banning within minutes.

4. Catch more with aggressive mode (optional)

To also catch “no matching key”, bad protocol, and connection-drop probes, add:

[sshd]
enabled = true
mode    = aggressive

Aggressive mode bans more bots but slightly raises the chance of catching a misconfigured legit client. Keep ignoreip accurate if you use it.

No /var/log/auth.log? On Debian 12 / Ubuntu 22.04+ SSH logs go to the systemd journal — set backend = systemd. See the dedicated systemd-journald recipe.

Open the full version (with copy buttons) ↗

← All recipes