How to Install Fail2Ban on Ubuntu 26.04
If your Ubuntu server is connected to the internet, failed SSH login attempts are almost guaranteed. Automated bots constantly scan public IP addresses and try common usernames, passwords, and login patterns.
Fail2Ban helps reduce this noise by watching system logs for repeated failed login attempts. When an IP address crosses the configured limit, Fail2Ban temporarily blocks it.
In this tutorial, you will install Fail2Ban on Ubuntu 26.04, enable SSH protection, configure sensible ban rules, and verify that everything is working correctly.
Prerequisites
Before you begin, make sure you have:
-
A server running Ubuntu 26.04 dedicated server
-
A user account with sudo privileges
-
SSH access to the server
If you are already logged in as the root user, you can remove sudo from the commands.
Step 1: Update the Package List
Start by refreshing the local package index:
sudo apt update
This makes sure Ubuntu has the latest package information from the configured repositories.
You can also install available package upgrades:
sudo apt upgrade -y
The upgrade step is optional, but keeping an internet facing server patched is generally a good idea.
Step 2: Install Fail2Ban
Install Fail2Ban using APT:
sudo apt install fail2ban -y
Once the installation finishes, check the installed version:
fail2ban-client --version
You should see output similar to:
Fail2Ban v1.x.x
The exact version may be different depending on the package currently available in the Ubuntu 26.04 repositories.
Step 3: Start and Enable Fail2Ban
Start the Fail2Ban service:
sudo systemctl start fail2ban
Now enable it so it starts automatically after a server reboot:
sudo systemctl enable fail2ban
You can do both operations with one command if you prefer:
sudo systemctl enable --now fail2ban
Check the service status:
sudo systemctl status fail2ban
If everything is working correctly, you should see:
Active: active (running)
Press q to exit the status screen.
Step 4: Create a Local Fail2Ban Configuration
Fail2Ban includes default configuration files under:
/etc/fail2ban/
You should avoid editing jail.conf directly because package updates may replace or modify default files.
Instead, create a small local configuration file:
sudo nano /etc/fail2ban/jail.local
Add the following configuration:
[DEFAULT]
bantime = 1h
findtime = 10m
maxretry = 5
[sshd]
enabled = true
port = ssh
backend = systemd
Save the file and exit Nano:
Ctrl + O
Enter
Ctrl + X
Here is what these settings mean.
bantime = 1h
An offending IP address is blocked for one hour.
findtime = 10m
Fail2Ban counts failed attempts within a ten minute window.
maxretry = 5
An IP address can fail five times before it is banned.
enabled = true
This activates the SSH jail.
backend = systemd
This tells Fail2Ban to read SSH related events through the systemd journal.
These values are a reasonable starting point for many public Ubuntu servers. You can make them stricter later if your server receives heavy brute force traffic.
Step 5: Test the Configuration
Before restarting Fail2Ban, check the configuration for errors:
sudo fail2ban-client -t
If the configuration is valid, you should see:
OK: configuration test is successful
Do not skip this step after editing Fail2Ban configuration files. A missing section name or simple typing mistake can prevent the service from starting correctly.
Step 6: Restart Fail2Ban
Apply the new configuration:
sudo systemctl restart fail2ban
Check that the service is still running:
sudo systemctl status fail2ban
You can also verify communication with the Fail2Ban server:
sudo fail2ban-client ping
A working installation should return:
Server replied: pong
Step 7: Check Active Fail2Ban Jails
Run:
sudo fail2ban-client status
You should see the SSH jail in the output:
Status
|- Number of jail: 1
`- Jail list: sshd
Now check detailed information for the SSH jail:
sudo fail2ban-client status sshd
The output shows information such as:
-
Currently failed login attempts
-
Total failed attempts
-
Currently banned IP addresses
-
Total banned IP addresses
-
Banned IP list
A typical result looks similar to:
Status for the jail: sshd
|- Filter
| |- Currently failed: 0
| `- Total failed: 0
`- Actions
|- Currently banned: 0
|- Total banned: 0
`- Banned IP list:
If the banned count is zero, that does not mean Fail2Ban is broken. It simply means no IP address has crossed your configured limit yet.
Step 8: Check Fail2Ban Logs
To view recent Fail2Ban service logs, run:
sudo journalctl -u fail2ban
For recent entries only:
sudo journalctl -u fail2ban -n 50
To watch new log entries in real time:
sudo journalctl -u fail2ban -f
Press Ctrl + C to stop following the logs.
Depending on the package configuration, you may also have a Fail2Ban log file at:
/var/log/fail2ban.log
You can check it with:
sudo tail -f /var/log/fail2ban.log
Step 9: Manually Ban an IP Address
You can manually ban an IP address inside the SSH jail:
sudo fail2ban-client set sshd banip 203.0.113.10
Replace 203.0.113.10 with the actual IP address you want to block.
Check the jail again:
sudo fail2ban-client status sshd
The IP address should appear in the banned IP list.
Be careful here. Do not ban the public IP address you are currently using for SSH access unless locking yourself out.
Step 10: Unban an IP Address
To remove an IP address from the SSH jail:
sudo fail2ban-client set sshd unbanip 203.0.113.10
Then verify the jail status:
sudo fail2ban-client status sshd
The IP should no longer appear in the banned list.
Optional: Add Trusted IP Addresses
If you have a fixed office IP address, VPN address, or trusted management network, you can tell Fail2Ban not to ban it.
Open the configuration:
sudo nano /etc/fail2ban/jail.local
Update the [DEFAULT] section:
[DEFAULT]
ignoreip = 127.0.0.1/8 ::1 192.0.2.10
bantime = 1h
findtime = 10m
maxretry = 5
Replace 192.0.2.10 with your real trusted public IP address.
You can also add a trusted subnet:
ignoreip = 127.0.0.1/8 ::1 192.0.2.10 10.10.0.0/24
Test the configuration:
sudo fail2ban-client -t
Then restart Fail2Ban:
sudo systemctl restart fail2ban
Only add IP addresses you genuinely trust. Adding large public ranges defeats the point of running Fail2Ban.
Optional: Use a Separate SSH Jail File
If you prefer keeping service specific configuration separate, create:
sudo nano /etc/fail2ban/jail.d/sshd.local
Add:
[sshd]
enabled = true
port = ssh
backend = systemd
bantime = 1h
findtime = 10m
maxretry = 5
Test the configuration:
sudo fail2ban-client -t
Then restart Fail2Ban:
sudo systemctl restart fail2ban
This approach is useful when you later add separate protection for services such as Nginx, Apache, Postfix, or other applications.
Troubleshooting Fail2Ban on Ubuntu 26.04
Fail2Ban Service Does Not Start
Check the service status:
sudo systemctl status fail2ban
Then inspect recent logs:
sudo journalctl -u fail2ban -n 100 --no-pager
Configuration errors are a common cause.
Run:
sudo fail2ban-client -t
Fix any reported errors and restart the service:
sudo systemctl restart fail2ban
SSH Jail Does Not Appear
Check active jails:
sudo fail2ban-client status
If sshd is missing, confirm that your configuration contains:
[sshd]
enabled = true
port = ssh
backend = systemd
Then test and restart:
sudo fail2ban-client -t
sudo systemctl restart fail2ban
Check again:
sudo fail2ban-client status
Fail2Ban Shows No Banned IP Addresses
First inspect the SSH jail:
sudo fail2ban-client status sshd
Then check whether SSH authentication failures are actually appearing in the system journal:
sudo journalctl -u ssh --since "30 minutes ago"
On some systems, checking the SSH daemon unit directly may also be useful:
sudo journalctl -u sshd --since "30 minutes ago"
If authentication failures are being logged but Fail2Ban is not detecting them, inspect its own logs:
sudo journalctl -u fail2ban -n 100 --no-pager
Final Thoughts
In this tutorial, we have learned how to install Fail2Ban on Ubuntu 26.04.
Fail2Ban is one of the simplest ways to reduce repeated brute force attempts against a public Ubuntu server. Once installed, it can watch authentication failures and temporarily block IP addresses that repeatedly cross your configured limits.
For a basic Ubuntu 26.04 server, enabling the sshd jail is a practical starting point. You can later add protection for Nginx, Apache, mail services, and other applications that generate useful authentication or access logs.
Fail2Ban should still be treated as one layer of server security, not the entire security plan. Use SSH keys, disable unnecessary services, keep Ubuntu updated, configure a firewall, and review logs regularly.

