This quick guide shows how to install and configure Fail2Ban on a fresh Ubuntu 22.04 system by first updating the package index and installing the fail2ban package, which automatically enables its daemon at boot. It then instructs you to copy /etc/fail2ban/jail.conf to /etc/fail2ban/jail.local so custom settings survive upgrades, and demonstrates enabling the SSH jail (or any other service) by editing jail.local to set enabled = true, adjust bantime, findtime, and maxretry. An optional example adds a user‑defined jail for a web application with its own filter and log path, after which you restart the service and verify active jails using fail2ban-client status. Finally, it suggests monitoring /var/log/fail2ban.log and tweaking ignoreip or other parameters to reduce false positives while keeping brute‑force protection lightweight.

Install Fail2Ban on Ubuntu 22.04 LTS – Quick Command‑Line Guide

You’ll get Fail2Ban up and running on a fresh Jammy install without pulling your hair out. The steps cover installing the package, tweaking the default jail, and testing that it actually blocks an IP. By the end you’ll have a lightweight brute‑force shield that doesn’t hog resources.

1. Pull the package from Ubuntu’s repo

sudo apt update
sudo apt install fail2ban

apt update makes sure your package list reflects the latest security fixes; installing from the official repository guarantees compatibility with kernel 5.15 used by Jammy. After the command finishes, the daemon is already enabled and will start on boot.

2. Create a local override file

Never edit /etc/fail2ban/jail.conf directly – it gets overwritten whenever the package updates. Instead copy it to jail.local:

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Now you have a safe place for your custom rules. I’ve seen people lose their tweaks after a routine apt upgrade because they edited the wrong file, so this step saves you that headache.

3. Enable the SSH jail (or any service you need)

Open the new file with your favorite editor:

sudo nano /etc/fail2ban/jail.local

Find the [sshd] section and change enabled = false to enabled = true. You can also tighten the ban time if you like:

bantime = 1h ; how long an IP stays blocked
findtime = 10m ; look back period for failed attempts
maxretry = 5 ; number of tries before a ban

bantime set to one hour is usually enough to deter password‑spraying attacks without locking out legitimate users forever. If you run a public server, I recommend bumping maxretry down to three.

4. Add a custom jail for your web app (optional)

Suppose you have a PHP site that logs failed logins to /var/log/auth.log. Create /etc/fail2ban/filter.d/myapp.conf:

[Definition]
failregex = ^.*Failed password for .* from <HOST>$
ignoreregex =

Then add a stanza in jail.local:

[myapp]
enabled = true
port = http,https
filter = myapp
logpath = /var/log/auth.log
maxretry = 4
bantime = 30m

This shows how easy it is to protect non‑standard services without pulling in heavyweight IDS software.

5. Restart the daemon and verify

sudo systemctl restart fail2ban
sudo fail2ban-client status

The status command lists all active jails; you should see sshd (and myapp if you added it). To test, try a few bogus SSH logins from another terminal – after the configured number of failures, Fail2Ban will drop your IP and you’ll see an entry in /var/log/fail2ban.log.

6. Keep an eye on the logs

Fail2Ban is low‑maintenance, but occasional log churn is normal. If you notice a flood of bans for a single IP that isn’t malicious, it might be a misconfigured client or a flaky VPN. Adjust ignoreip in jail.local to whitelist trusted addresses.

That’s all there is to it – a few commands and a bit of tweaking, and your Ubuntu 22.04 box will start kicking out brute‑force attackers automatically.