{"id":2029,"date":"2026-06-14T08:41:45","date_gmt":"2026-06-14T08:41:45","guid":{"rendered":"https:\/\/ukspeed.co.uk\/blog\/?p=2029"},"modified":"2026-06-14T10:34:01","modified_gmt":"2026-06-14T10:34:01","slug":"how-to-set-up-fail2ban-on-a-linux-vps-block-brute-force-attacks-automatically-in-2026","status":"publish","type":"post","link":"https:\/\/ukspeed.co.uk\/blog\/how-to-set-up-fail2ban-on-a-linux-vps-block-brute-force-attacks-automatically-in-2026\/","title":{"rendered":"How to Set Up Fail2ban on a Linux VPS: Block Brute-Force Attacks Automatically in 2026"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\">Introduction<\/h2>\n\n\n\n<p>Cyberattacks continue to evolve in 2026, but one threat remains consistently common across Linux servers worldwide: brute-force attacks. Every day, automated bots scan the internet looking for vulnerable servers, attempting thousands of username and password combinations against <a href=\"https:\/\/ukspeed.co.uk\/blog\/how-to-harden-ssh-on-a-linux-vps-10-security-steps-beyond-just-changing-the-default-port\/\">SSH<\/a>, web panels, mail servers, databases, and other exposed services. For VPS owners, system administrators, developers, and businesses, failing to protect a server against brute-force attacks can lead to unauthorized access, data theft, malware infections, service disruption, and costly downtime. Fortunately, Linux provides a powerful and lightweight solution called Fail2ban. This security tool automatically detects malicious login attempts and blocks offending IP addresses before they can compromise your server.<\/p>\n\n\n\n<p>In this comprehensive guide, you&#8217;ll learn what Fail2ban is, how it works, how to install and configure it on a Linux VPS, and how to create a strong first line of defense against automated attacks in 2026.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">What Is Fail2ban?<\/h2>\n\n\n\n<p>Fail2ban is an open-source intrusion prevention framework designed to protect Linux servers from brute-force attacks and malicious login attempts. It continuously monitors log files and automatically blocks IP addresses that generate suspicious authentication failures. When an IP exceeds a predefined number of failed login attempts, Fail2ban can:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Add firewall rules<\/li>\n\n\n\n<li>Block the attacker temporarily<\/li>\n\n\n\n<li>Permanently ban repeat offenders<\/li>\n\n\n\n<li>Send email notifications<\/li>\n\n\n\n<li>Trigger custom security actions<\/li>\n<\/ul>\n\n\n\n<p>Fail2ban works with many popular services including:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>SSH<\/li>\n\n\n\n<li>NGINX<\/li>\n\n\n\n<li>Apache<\/li>\n\n\n\n<li>FTP servers<\/li>\n\n\n\n<li>Mail servers<\/li>\n\n\n\n<li>WordPress login pages<\/li>\n\n\n\n<li>Control panels<\/li>\n\n\n\n<li>Databases<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Why Every Linux VPS Should Use Fail2ban<\/h2>\n\n\n\n<p>Many administrators underestimate how frequently their servers are targeted. A newly deployed VPS often receives login attempts within hours of becoming publicly accessible. Common attack targets include:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>SSH port 22<\/li>\n\n\n\n<li>cPanel<\/li>\n\n\n\n<li>Plesk<\/li>\n\n\n\n<li>DirectAdmin<\/li>\n\n\n\n<li>Webmail portals<\/li>\n\n\n\n<li>WordPress login pages<\/li>\n\n\n\n<li>FTP services<\/li>\n\n\n\n<li>Mail services<\/li>\n<\/ul>\n\n\n\n<p>Without protection, attackers can perform thousands of password attempts every hour. Fail2ban automatically identifies these attacks and blocks them before they become a serious threat. Benefits include:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Reduced attack surface<\/li>\n\n\n\n<li>Improved server security<\/li>\n\n\n\n<li>Lower resource consumption<\/li>\n\n\n\n<li>Protection against credential stuffing<\/li>\n\n\n\n<li>Automated threat mitigation<\/li>\n\n\n\n<li>Better log management<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">How Fail2ban Works<\/h2>\n\n\n\n<p>Fail2ban follows a simple process:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Monitor log files.<\/li>\n\n\n\n<li>Detect failed authentication attempts.<\/li>\n\n\n\n<li>Compare activity against predefined rules.<\/li>\n\n\n\n<li>Identify suspicious behavior.<\/li>\n\n\n\n<li>Apply firewall bans automatically.<\/li>\n<\/ol>\n\n\n\n<p>For example: An attacker attempts:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>root\nadmin\nubuntu\ntest\nuser\n<\/code><\/pre>\n\n\n\n<p>with hundreds of passwords. After five failed attempts, Fail2ban immediately blocks the source IP through the firewall. Future connection attempts from that IP are rejected until the ban expires.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Installing Fail2ban on Ubuntu 24.04<\/h2>\n\n\n\n<p>Update your server first:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo apt update &amp;&amp; sudo apt upgrade -y\n<\/code><\/pre>\n\n\n\n<p>Install Fail2ban:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo apt install fail2ban -y\n<\/code><\/pre>\n\n\n\n<p>Verify installation:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo systemctl status fail2ban\n<\/code><\/pre>\n\n\n\n<p>You should see:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>active (running)\n<\/code><\/pre>\n\n\n\n<p>Enable automatic startup:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo systemctl enable fail2ban\n<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">Installing Fail2ban on Debian 12<\/h2>\n\n\n\n<p>For Debian systems:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo apt update\nsudo apt install fail2ban -y\n<\/code><\/pre>\n\n\n\n<p>Start the service:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo systemctl start fail2ban\nsudo systemctl enable fail2ban\n<\/code><\/pre>\n\n\n\n<p>Verify:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo systemctl status fail2ban\n<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">Installing Fail2ban on AlmaLinux, Rocky Linux, and CentOS<\/h2>\n\n\n\n<p>Install EPEL repository:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo dnf install epel-release -y\n<\/code><\/pre>\n\n\n\n<p>Install Fail2ban:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo dnf install fail2ban -y\n<\/code><\/pre>\n\n\n\n<p>Enable the service:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo systemctl enable fail2ban\nsudo systemctl start fail2ban\n<\/code><\/pre>\n\n\n\n<p>Check status:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo systemctl status fail2ban\n<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">Understanding Fail2ban Configuration Files<\/h2>\n\n\n\n<p>Important configuration locations include:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>\/etc\/fail2ban\/\n<\/code><\/pre>\n\n\n\n<p>Common files:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>jail.conf\njail.local\nfail2ban.conf\naction.d\/\nfilter.d\/\n<\/code><\/pre>\n\n\n\n<p>Never edit:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>jail.conf\n<\/code><\/pre>\n\n\n\n<p>directly. Instead create:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>jail.local\n<\/code><\/pre>\n\n\n\n<p>to preserve settings during updates.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Creating Your First Jail Configuration<\/h2>\n\n\n\n<p>Create:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo nano \/etc\/fail2ban\/jail.local\n<\/code><\/pre>\n\n\n\n<p>Example secure configuration:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&#91;DEFAULT]\n\nbantime = 1h\nfindtime = 10m\nmaxretry = 5\nbackend = systemd\n\nignoreip = 127.0.0.1\/8\n<\/code><\/pre>\n\n\n\n<p>Explanation:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>bantime = block duration<\/li>\n\n\n\n<li>findtime = monitoring period<\/li>\n\n\n\n<li>maxretry = failed attempts before ban<\/li>\n\n\n\n<li>ignoreip = trusted IPs<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Protecting SSH with Fail2ban<\/h2>\n\n\n\n<p>SSH remains the most targeted service on Linux servers. Add:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&#91;sshd]\n\nenabled = true\nport = ssh\nfilter = sshd\nlogpath = %(sshd_log)s\nbackend = systemd\nmaxretry = 5\nbantime = 1h\n<\/code><\/pre>\n\n\n\n<p>Save and restart:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo systemctl restart fail2ban\n<\/code><\/pre>\n\n\n\n<p>Check status:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo fail2ban-client status sshd\n<\/code><\/pre>\n\n\n\n<p>Example output:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Status for the jail: sshd\nCurrently banned: 3\nTotal banned: 156\n<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">Viewing Banned IP Addresses<\/h2>\n\n\n\n<p>Display all active jails:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo fail2ban-client status\n<\/code><\/pre>\n\n\n\n<p>View SSH bans:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo fail2ban-client status sshd\n<\/code><\/pre>\n\n\n\n<p>List banned IPs:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo fail2ban-client get sshd banip\n<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">Unbanning an IP Address<\/h2>\n\n\n\n<p>Remove a ban manually:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo fail2ban-client set sshd unbanip 1.2.3.4\n<\/code><\/pre>\n\n\n\n<p>Replace:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>1.2.3.4\n<\/code><\/pre>\n\n\n\n<p>with the actual IP address.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Configuring Email Notifications<\/h2>\n\n\n\n<p>Install mail tools:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo apt install mailutils -y\n<\/code><\/pre>\n\n\n\n<p>Add to:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>jail.local\n<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>destemail = admin@example.com\nsender = fail2ban@example.com\nmta = sendmail\naction = %(action_mwl)s\n<\/code><\/pre>\n\n\n\n<p>You will receive notifications whenever Fail2ban blocks attackers.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Protecting NGINX Servers<\/h2>\n\n\n\n<p>Enable NGINX protection:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&#91;nginx-http-auth]\n\nenabled = true\nport = http,https\nfilter = nginx-http-auth\nlogpath = \/var\/log\/nginx\/error.log\nmaxretry = 5\n<\/code><\/pre>\n\n\n\n<p>This protects HTTP authentication endpoints.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Protecting Apache Servers<\/h2>\n\n\n\n<p>Add:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&#91;apache-auth]\n\nenabled = true\nport = http,https\nfilter = apache-auth\nlogpath = \/var\/log\/apache2\/error.log\nmaxretry = 5\n<\/code><\/pre>\n\n\n\n<p>Fail2ban will automatically block repeated authentication failures.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Protecting WordPress Login Pages<\/h2>\n\n\n\n<p>WordPress websites are constant targets for credential attacks. You can configure Fail2ban to monitor:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>wp-login.php<\/li>\n\n\n\n<li>XML-RPC<\/li>\n\n\n\n<li>Admin authentication attempts<\/li>\n<\/ul>\n\n\n\n<p>Benefits include:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Reduced bot traffic<\/li>\n\n\n\n<li>Lower server load<\/li>\n\n\n\n<li>Better WordPress security<\/li>\n\n\n\n<li>Protection against password guessing<\/li>\n<\/ul>\n\n\n\n<p>Combined with strong passwords and two-factor authentication, Fail2ban becomes a highly effective defense layer.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Integrating Fail2ban with UFW<\/h2>\n\n\n\n<p>Most Ubuntu VPS deployments use UFW. Verify UFW status:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo ufw status\n<\/code><\/pre>\n\n\n\n<p>Configure Fail2ban to use UFW:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>banaction = ufw\n<\/code><\/pre>\n\n\n\n<p>Restart:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo systemctl restart fail2ban\n<\/code><\/pre>\n\n\n\n<p>Now blocked IPs will automatically be added to UFW rules.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Integrating Fail2ban with iptables<\/h2>\n\n\n\n<p>For traditional Linux firewalls:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>banaction = iptables-multiport\n<\/code><\/pre>\n\n\n\n<p>Restart Fail2ban:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo systemctl restart fail2ban\n<\/code><\/pre>\n\n\n\n<p>The firewall will automatically block offending IP addresses.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Best Fail2ban Settings for 2026<\/h2>\n\n\n\n<p>A recommended production configuration:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&#91;DEFAULT]\n\nignoreip = 127.0.0.1\/8\nbantime = 24h\nfindtime = 10m\nmaxretry = 3\nbackend = systemd\nbanaction = ufw\n<\/code><\/pre>\n\n\n\n<p>This setup provides strong protection while minimizing false positives.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Additional VPS Security Recommendations<\/h2>\n\n\n\n<p>Fail2ban is powerful, but it should be part of a layered security strategy. Additional protections include:<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Change the SSH Port<\/h3>\n\n\n\n<p>Instead of:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>22\n<\/code><\/pre>\n\n\n\n<p>use:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>22022\n<\/code><\/pre>\n\n\n\n<p>or another custom port.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Disable Root Login<\/h3>\n\n\n\n<p>Edit:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>\/etc\/ssh\/sshd_config\n<\/code><\/pre>\n\n\n\n<p>Set:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>PermitRootLogin no\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Enable SSH Key Authentication<\/h3>\n\n\n\n<p>SSH keys provide significantly stronger security than passwords.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Keep Software Updated<\/h3>\n\n\n\n<p>Regular updates patch vulnerabilities before attackers can exploit them.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Use a VPS Firewall<\/h3>\n\n\n\n<p>Combine:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>UFW<\/li>\n\n\n\n<li>CSF<\/li>\n\n\n\n<li>iptables<\/li>\n\n\n\n<li>Cloud firewall solutions<\/li>\n<\/ul>\n\n\n\n<p>for stronger protection.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Common Fail2ban Issues and Fixes<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Jail Not Starting<\/h3>\n\n\n\n<p>Check syntax:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo fail2ban-client -t\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">No IPs Are Being Banned<\/h3>\n\n\n\n<p>Verify:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Log file paths<\/li>\n\n\n\n<li>Filter configuration<\/li>\n\n\n\n<li>Service names<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Service Won&#8217;t Restart<\/h3>\n\n\n\n<p>Review logs:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo journalctl -u fail2ban\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">SSH Jail Missing<\/h3>\n\n\n\n<p>Ensure:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>enabled = true\n<\/code><\/pre>\n\n\n\n<p>is configured under the SSH jail section.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Why Fail2ban Is Essential for VPS Security<\/h2>\n\n\n\n<p>Brute-force attacks remain one of the most common threats against internet-facing Linux servers. Even a small VPS can receive thousands of login attempts every day. Fail2ban provides an automated and lightweight defense mechanism that dramatically improves server security with minimal resource usage. By monitoring logs, detecting malicious activity, and blocking attackers automatically, it helps prevent unauthorized access before serious damage can occur. Whether you manage a personal server, a business website, a WordPress installation, or a production application environment, Fail2ban should be considered a mandatory security component.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Conclusion<\/h2>\n\n\n\n<p>Fail2ban remains one of the most effective and easiest security tools available for Linux VPS administrators in 2026. With just a few minutes of configuration, it can automatically block brute-force attacks, reduce malicious traffic, and strengthen your server&#8217;s overall security posture. Combined with firewall protection, SSH hardening, regular updates, and strong authentication practices, Fail2ban provides a powerful layer of automated defense that every VPS owner should deploy. As cyber threats continue to evolve, implementing Fail2ban is a simple step that delivers significant long-term security benefits.<\/p>\n\n\n\n<div class=\"uks-auto-cta\"><h3>Looking for fast, secure hosting?<\/h3><p>Visit <a href=\"https:\/\/ukspeed.co.uk\">UK Speed<\/a> for cloud servers, VPS NVMe, and dedicated hosting tailored for performance.<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"<p>Introduction Cyberattacks continue to evolve in 2026, but one threat remains consistently common across Linux servers worldwide: brute-force attacks. Every day, automated bots scan\u2026<\/p>\n","protected":false},"author":3,"featured_media":2031,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_joinchat":[],"footnotes":""},"categories":[103],"tags":[146,171,300,190,141,74,173,128,47],"class_list":["post-2029","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security","tag-linux","tag-linux-hosting","tag-linux-security","tag-linux-vps","tag-security","tag-server-security","tag-ssh-security","tag-uk-speed","tag-vps-hosting"],"_links":{"self":[{"href":"https:\/\/ukspeed.co.uk\/blog\/wp-json\/wp\/v2\/posts\/2029","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ukspeed.co.uk\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ukspeed.co.uk\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ukspeed.co.uk\/blog\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/ukspeed.co.uk\/blog\/wp-json\/wp\/v2\/comments?post=2029"}],"version-history":[{"count":1,"href":"https:\/\/ukspeed.co.uk\/blog\/wp-json\/wp\/v2\/posts\/2029\/revisions"}],"predecessor-version":[{"id":2030,"href":"https:\/\/ukspeed.co.uk\/blog\/wp-json\/wp\/v2\/posts\/2029\/revisions\/2030"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ukspeed.co.uk\/blog\/wp-json\/wp\/v2\/media\/2031"}],"wp:attachment":[{"href":"https:\/\/ukspeed.co.uk\/blog\/wp-json\/wp\/v2\/media?parent=2029"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ukspeed.co.uk\/blog\/wp-json\/wp\/v2\/categories?post=2029"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ukspeed.co.uk\/blog\/wp-json\/wp\/v2\/tags?post=2029"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}