Prerequisites
Before configuring Fail2ban for SSH, make sure you have:
- Fail2ban installed (see Article 42)
- Root or sudo privileges
Step 1: Understand Default SSH Jail
Connect to your VPS:
ssh hxroot@YOUR_SERVER_IP -p 22View default SSH configuration:
sudo cat /etc/fail2ban/jail.d/defaults-debian.confStep 2: Create Custom SSH Configuration
sudo nano /etc/fail2ban/jail.localAdd or modify the [sshd] section:
[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
findtime = 600
bantime = 3600
action = iptables-multiport[name=sshd, port="ssh", protocol=tcp]Step 3: Customize for Non-Standard SSH Port
If you changed SSH port to 2222:
[sshd]
enabled = true
port = 2222
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 3600
action = iptables-multiport[name=sshd, port="2222", protocol=tcp]Step 4: Set Different Bantime for SSH (More Aggressive)
[sshd]
maxretry = 2
findtime = 300
bantime = 86400
recidive = truerecidive increases ban time for repeat offenders.
Step 5: Enable Recidive Jail (Repeat Offenders)
[recidive]
enabled = true
logpath = /var/log/fail2ban.log
banaction = iptables-multiport
bantime = 604800 # 1 week
findtime = 86400 # 1 day
maxretry = 5Step 6: Test SSH Jail Configuration
sudo fail2ban-client -d | grep sshdRestart Fail2ban:
sudo systemctl restart fail2banStep 7: Monitor SSH Jail Activity
sudo fail2ban-client status sshdStep 8: View Fail2ban SSH Filter Regex (Optional)
sudo cat /etc/fail2ban/filter.d/sshd.confYou can add custom failregex patterns if needed.
Example: Ban IPs Trying Common Usernames
Add custom filter for root/admin attempts:
sudo nano /etc/fail2ban/filter.d/sshd-extra.conf[Definition]
failregex = ^.* sshd[[0-9]+]: Invalid user .* from .*$
^.* sshd[[0-9]+]: Failed password for (invalid user )?w+ from .*$ In jail.local:
[sshd]
filter = sshd sshd-extraCheck Fail2ban Firewall Rules (iptables)
sudo iptables -L -n | grep fail2ban✅ Fail2ban SSH protection configured. Attackers will be banned after failed attempts.