Introduction
Every server with a public IP address is under constant attack. Automated bots scan the internet around the clock, attempting thousands of SSH login combinations per hour against every reachable server. Even with SSH key authentication and UFW rate limiting in place, these bots consume resources, fill your logs with noise, and probe for any misconfiguration they can exploit.
fail2ban solves this by monitoring your log files in real time, detecting repeated failed authentication attempts, and automatically banning the offending IP address using your existing firewall. A banned IP is completely blocked from reaching your server for a configurable duration — ten minutes, one hour, or permanently. The bot moves on to an easier target, and your logs stay clean.
In this tutorial, you will install fail2ban on your Raff Ubuntu 24.04 VM, configure the SSH jail to ban brute-force attackers, whitelist your own IP address to prevent accidental lockout, customize ban duration and retry thresholds, set up email notifications for ban events, and verify that fail2ban is actively protecting your server. On our own Raff infrastructure, we see an average of 500-800 failed SSH attempts per day per public IP — fail2ban blocks the vast majority of those within seconds of detection.
Step 1 — Install fail2ban
fail2ban is available in Ubuntu 24.04's default repository. Install it:
bashsudo apt update
sudo apt install -y fail2ban
fail2ban starts automatically after installation. Verify the service is running:
bashsudo systemctl status fail2ban
You should see active (running) in the output. Check the installed version:
bashfail2ban-client --version
Expected output:
Fail2Ban v1.0.2
Note
fail2ban ships with a default configuration that provides basic SSH protection out of the box. However, the defaults use iptables directly. In the next steps, you will create a local override that integrates with UFW and tunes the ban parameters for your environment.
Step 2 — Create a Local Configuration File
fail2ban uses two configuration layers: /etc/fail2ban/jail.conf (the default) and /etc/fail2ban/jail.local (your overrides). Never edit jail.conf directly — package updates will overwrite your changes. All customizations go in jail.local.
Create the local configuration file:
bashsudo nano /etc/fail2ban/jail.local
Add the following base configuration:
ini[DEFAULT]
# Ban duration: 1 hour (3600 seconds)
bantime = 1h
# Detection window: 10 minutes
findtime = 10m
# Max retries before ban
maxretry = 5
# Whitelist your own IP (replace with your actual IP)
ignoreip = 127.0.0.1/8 ::1 your_local_ip
# Use UFW for banning (Ubuntu default firewall)
banaction = ufw
banaction_allports = ufw
# Email notifications (optional — configure in Step 5)
# destemail = your_email@example.com
# sender = fail2ban@your_domain
# action = %(action_mwl)s
Key settings explained:
bantime = 1h— Banned IPs are blocked for one hour. After the ban expires, the IP can attempt again. Set to24hor-1(permanent) for stricter enforcement.findtime = 10m— fail2ban looks at the last 10 minutes of log entries. If an IP exceedsmaxretrywithin this window, it gets banned.maxretry = 5— Five failed attempts within thefindtimewindow triggers a ban. This is generous enough to avoid locking out legitimate users who mistype a password.ignoreip— IP addresses that are never banned. Always add your own public IP here to prevent accidental lockout. Separate multiple IPs with spaces.banaction = ufw— Tells fail2ban to use UFW commands instead of raw iptables. This keeps your firewall rules consistent with your existing UFW setup.
Warning
Replace your_local_ip with your actual public IP address before saving. If you skip this and mistype your password several times, fail2ban will lock you out. You can always recover through the Raff web console if this happens.
Save and close the file.
Step 3 — Enable and Configure the SSH Jail
A "jail" in fail2ban is a set of rules that monitors a specific service. The SSH jail watches /var/log/auth.log for failed login attempts and bans offending IPs.
Open your local configuration file:
bashsudo nano /etc/fail2ban/jail.local
Add the SSH jail configuration below the [DEFAULT] section:
ini[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 2h
findtime = 10m
This jail overrides some of the defaults for SSH specifically:
maxretry = 3— Stricter than the default 5. SSH brute-force bots rarely send fewer than 10 attempts, so 3 catches them early while giving legitimate users room for a couple of typos.bantime = 2h— Two-hour ban for SSH attackers, longer than the default 1 hour.logpath = /var/log/auth.log— The log file fail2ban monitors for SSH authentication events on Ubuntu.
If you have changed your SSH port from the default 22, update the port directive:
iniport = 2222
Save and close the file. Restart fail2ban to apply the configuration:
bashsudo systemctl restart fail2ban
Step 4 — Verify fail2ban Is Working
Check the status of all active jails:
bashsudo fail2ban-client status
Expected output:
Status
|- Number of jail: 1
`- Jail list: sshd
Check the SSH jail specifically:
bashsudo fail2ban-client status sshd
Expected output:
Status for the jail: sshd
|- Filter
| |- Currently failed: 0
| |- Total failed: 0
| `- Journal matches: _SYSTEMD_UNIT=sshd.service + _COMM=sshd
`- Actions
|- Currently banned: 0
|- Total banned: 0
`- Banned IP list:
On a fresh server, all counters will be zero. Within minutes of being online, you will start seeing failed attempts and bans accumulate. Check the fail2ban log for recent activity:
bashsudo tail -20 /var/log/fail2ban.log
You will see lines like:
INFO [sshd] Found 203.0.113.50 - 2026-04-04 10:15:23
INFO [sshd] Ban 203.0.113.50
The Found line means fail2ban detected a failed attempt. The Ban line means the IP exceeded maxretry and has been blocked.
To verify the ban is applied in UFW:
bashsudo ufw status | grep -i deny
You should see banned IPs listed as UFW DENY rules.
Step 5 — Configure Incremental Ban Times (Optional)
Repeat offenders — IPs that get banned, wait for the ban to expire, and attack again — deserve longer bans. fail2ban supports incremental ban times using the bantime.increment feature.
Open your local configuration:
bashsudo nano /etc/fail2ban/jail.local
Add these lines inside the [DEFAULT] section:
ini# Incremental banning
bantime.increment = true
bantime.factor = 2
bantime.maxtime = 4w
With these settings, the first ban is 2 hours (from the sshd jail), the second ban for the same IP is 4 hours, the third is 8 hours, and so on — doubling each time up to a maximum of 4 weeks. This is far more effective than a flat ban time because persistent attackers get exponentially longer bans.
Restart fail2ban:
bashsudo systemctl restart fail2ban
Step 6 — Manage Bans Manually
Sometimes you need to manually ban or unban an IP address.
Ban an IP immediately:
bashsudo fail2ban-client set sshd banip 203.0.113.50
Unban an IP:
bashsudo fail2ban-client set sshd unbanip 203.0.113.50
List all currently banned IPs in the SSH jail:
bashsudo fail2ban-client status sshd
Check how many total bans have occurred since fail2ban started:
bashsudo fail2ban-client status sshd | grep "Total banned"
If you need to unban all IPs at once (for example, after a misconfiguration):
bashsudo fail2ban-client unban --all
Tip
If you accidentally banned yourself, connect through the Raff web console in your dashboard (it bypasses SSH entirely) and run the unban command from there.
Step 7 — Monitor fail2ban Over Time
Check your ban statistics regularly to understand the threat level against your server:
bashsudo fail2ban-client status sshd
For a quick summary of recent bans from the log:
bashsudo grep "Ban " /var/log/fail2ban.log | tail -20
Count total unique IPs banned today:
bashsudo grep "Ban " /var/log/fail2ban.log | grep "$(date +%Y-%m-%d)" | awk '{print $NF}' | sort -u | wc -l
If you are running Uptime Kuma for monitoring, you can add fail2ban as a service check by monitoring the systemd service status.
Here are the key files and commands for ongoing management:
/etc/fail2ban/jail.local— Your custom configuration (all changes go here)/etc/fail2ban/jail.conf— Default configuration (never edit)/var/log/fail2ban.log— fail2ban activity log/var/log/auth.log— SSH authentication log (what fail2ban monitors)sudo fail2ban-client status— Show all active jailssudo fail2ban-client status sshd— Show SSH jail statistics
Conclusion
You have installed fail2ban on your Raff Ubuntu 24.04 VM, configured an SSH jail with strict retry limits, whitelisted your own IP, set up incremental ban times for repeat offenders, and learned how to manage bans manually. Your server now automatically blocks brute-force attacks within seconds of detection.
This completes a strong security stack on your Raff VM:
- SSH key authentication — eliminates password-based attacks entirely
- UFW firewall — blocks all ports except the ones you explicitly allow
- Server hardening — disables root login, configures automatic updates
- fail2ban — automatically bans IPs that attempt brute-force attacks
Combined with Raff's built-in DDoS protection, this layered approach ensures your server is protected from the most common attack vectors. On our infrastructure, we typically see ban counts drop by 90% within the first week as persistent bot networks learn to skip servers that actively ban them.
This tutorial was tested and verified by our security engineering team on a Raff CPU-Optimized Tier 2 VM.