How to Install Fail2Ban on Ubuntu 26.04

Firewall

By Jennifer Webb

Updated on Jul 09, 2026

How to Install Fail2Ban on Ubuntu 26.04

How to Install Fail2Ban on Ubuntu 26.04

If your Ubuntu server is connected to the internet, failed SSH login attempts are almost guaranteed. Automated bots constantly scan public IP addresses and try common usernames, passwords, and login patterns.

Fail2Ban helps reduce this noise by watching system logs for repeated failed login attempts. When an IP address crosses the configured limit, Fail2Ban temporarily blocks it.

In this tutorial, you will install Fail2Ban on Ubuntu 26.04, enable SSH protection, configure sensible ban rules, and verify that everything is working correctly.

Prerequisites

Before you begin, make sure you have:

  • A server running Ubuntu 26.04 dedicated server

  • A user account with sudo privileges

  • SSH access to the server

If you are already logged in as the root user, you can remove sudo from the commands.

Step 1: Update the Package List

Start by refreshing the local package index:

sudo apt update

This makes sure Ubuntu has the latest package information from the configured repositories.

You can also install available package upgrades:

sudo apt upgrade -y

The upgrade step is optional, but keeping an internet facing server patched is generally a good idea.

Step 2: Install Fail2Ban

Install Fail2Ban using APT:

sudo apt install fail2ban -y

Once the installation finishes, check the installed version:

fail2ban-client --version

You should see output similar to:

Fail2Ban v1.x.x

The exact version may be different depending on the package currently available in the Ubuntu 26.04 repositories.

Step 3: Start and Enable Fail2Ban

Start the Fail2Ban service:

sudo systemctl start fail2ban

Now enable it so it starts automatically after a server reboot:

sudo systemctl enable fail2ban

You can do both operations with one command if you prefer:

sudo systemctl enable --now fail2ban

Check the service status:

sudo systemctl status fail2ban

If everything is working correctly, you should see:

Active: active (running)

Press q to exit the status screen.

Step 4: Create a Local Fail2Ban Configuration

Fail2Ban includes default configuration files under:

/etc/fail2ban/

You should avoid editing jail.conf directly because package updates may replace or modify default files.

Instead, create a small local configuration file:

sudo nano /etc/fail2ban/jail.local

Add the following configuration:

[DEFAULT]
bantime = 1h
findtime = 10m
maxretry = 5

[sshd]
enabled = true
port = ssh
backend = systemd

Save the file and exit Nano:

Ctrl + O
Enter
Ctrl + X

Here is what these settings mean.

bantime = 1h

An offending IP address is blocked for one hour.

findtime = 10m

Fail2Ban counts failed attempts within a ten minute window.

maxretry = 5

An IP address can fail five times before it is banned.

enabled = true

This activates the SSH jail.

backend = systemd

This tells Fail2Ban to read SSH related events through the systemd journal.

These values are a reasonable starting point for many public Ubuntu servers. You can make them stricter later if your server receives heavy brute force traffic.

Step 5: Test the Configuration

Before restarting Fail2Ban, check the configuration for errors:

sudo fail2ban-client -t

If the configuration is valid, you should see:

OK: configuration test is successful

Do not skip this step after editing Fail2Ban configuration files. A missing section name or simple typing mistake can prevent the service from starting correctly.

Step 6: Restart Fail2Ban

Apply the new configuration:

sudo systemctl restart fail2ban

Check that the service is still running:

sudo systemctl status fail2ban

You can also verify communication with the Fail2Ban server:

sudo fail2ban-client ping

A working installation should return:

Server replied: pong

Step 7: Check Active Fail2Ban Jails

Run:

sudo fail2ban-client status

You should see the SSH jail in the output:

Status
|- Number of jail: 1
`- Jail list: sshd

Now check detailed information for the SSH jail:

sudo fail2ban-client status sshd

The output shows information such as:

  • Currently failed login attempts

  • Total failed attempts

  • Currently banned IP addresses

  • Total banned IP addresses

  • Banned IP list

A typical result looks similar to:

Status for the jail: sshd
|- Filter
|  |- Currently failed: 0
|  `- Total failed: 0
`- Actions
   |- Currently banned: 0
   |- Total banned: 0
   `- Banned IP list:

If the banned count is zero, that does not mean Fail2Ban is broken. It simply means no IP address has crossed your configured limit yet.

Step 8: Check Fail2Ban Logs

To view recent Fail2Ban service logs, run:

sudo journalctl -u fail2ban

For recent entries only:

sudo journalctl -u fail2ban -n 50

To watch new log entries in real time:

sudo journalctl -u fail2ban -f

Press Ctrl + C to stop following the logs.

Depending on the package configuration, you may also have a Fail2Ban log file at:

/var/log/fail2ban.log

You can check it with:

sudo tail -f /var/log/fail2ban.log

Step 9: Manually Ban an IP Address

You can manually ban an IP address inside the SSH jail:

sudo fail2ban-client set sshd banip 203.0.113.10

Replace 203.0.113.10 with the actual IP address you want to block.

Check the jail again:

sudo fail2ban-client status sshd

The IP address should appear in the banned IP list.

Be careful here. Do not ban the public IP address you are currently using for SSH access unless locking yourself out.

Step 10: Unban an IP Address

To remove an IP address from the SSH jail:

sudo fail2ban-client set sshd unbanip 203.0.113.10

Then verify the jail status:

sudo fail2ban-client status sshd

The IP should no longer appear in the banned list.

Optional: Add Trusted IP Addresses

If you have a fixed office IP address, VPN address, or trusted management network, you can tell Fail2Ban not to ban it.

Open the configuration:

sudo nano /etc/fail2ban/jail.local

Update the [DEFAULT] section:

[DEFAULT]
ignoreip = 127.0.0.1/8 ::1 192.0.2.10
bantime = 1h
findtime = 10m
maxretry = 5

Replace 192.0.2.10 with your real trusted public IP address.

You can also add a trusted subnet:

ignoreip = 127.0.0.1/8 ::1 192.0.2.10 10.10.0.0/24

Test the configuration:

sudo fail2ban-client -t

Then restart Fail2Ban:

sudo systemctl restart fail2ban

Only add IP addresses you genuinely trust. Adding large public ranges defeats the point of running Fail2Ban.

Optional: Use a Separate SSH Jail File

If you prefer keeping service specific configuration separate, create:

sudo nano /etc/fail2ban/jail.d/sshd.local

Add:

[sshd]
enabled = true
port = ssh
backend = systemd
bantime = 1h
findtime = 10m
maxretry = 5

Test the configuration:

sudo fail2ban-client -t

Then restart Fail2Ban:

sudo systemctl restart fail2ban

This approach is useful when you later add separate protection for services such as Nginx, Apache, Postfix, or other applications.

Troubleshooting Fail2Ban on Ubuntu 26.04

Fail2Ban Service Does Not Start

Check the service status:

sudo systemctl status fail2ban

Then inspect recent logs:

sudo journalctl -u fail2ban -n 100 --no-pager

Configuration errors are a common cause.

Run:

sudo fail2ban-client -t

Fix any reported errors and restart the service:

sudo systemctl restart fail2ban

SSH Jail Does Not Appear

Check active jails:

sudo fail2ban-client status

If sshd is missing, confirm that your configuration contains:

[sshd]
enabled = true
port = ssh
backend = systemd

Then test and restart:

sudo fail2ban-client -t
sudo systemctl restart fail2ban

Check again:

sudo fail2ban-client status

Fail2Ban Shows No Banned IP Addresses

First inspect the SSH jail:

sudo fail2ban-client status sshd

Then check whether SSH authentication failures are actually appearing in the system journal:

sudo journalctl -u ssh --since "30 minutes ago"

On some systems, checking the SSH daemon unit directly may also be useful:

sudo journalctl -u sshd --since "30 minutes ago"

If authentication failures are being logged but Fail2Ban is not detecting them, inspect its own logs:

sudo journalctl -u fail2ban -n 100 --no-pager

Final Thoughts

In this tutorial, we have learned how to install Fail2Ban on Ubuntu 26.04.

Fail2Ban is one of the simplest ways to reduce repeated brute force attempts against a public Ubuntu server. Once installed, it can watch authentication failures and temporarily block IP addresses that repeatedly cross your configured limits.

For a basic Ubuntu 26.04 server, enabling the sshd jail is a practical starting point. You can later add protection for Nginx, Apache, mail services, and other applications that generate useful authentication or access logs.

Fail2Ban should still be treated as one layer of server security, not the entire security plan. Use SSH keys, disable unnecessary services, keep Ubuntu updated, configure a firewall, and review logs regularly.