fail2ban jail.local Generator

Fail2ban — an IPS for Linux

Fail2ban is an Intrusion Prevention System (IPS) for Linux created by Cyril Jaquier in 2004. It tails service logs (sshd, Apache, Nginx, Postfix, Dovecot, vsftpd, WordPress), matches authentication failures against regular expressions, and automatically bans the offending IPs by talking to iptables, firewalld, nftables, pf or ipset. It is the cheapest, fastest defence against brute-force SSH attacks and credential stuffing on a self-managed VPS.

Configuration files

• /etc/fail2ban/jail.conf — shipped defaults, never edit directly (upgrades overwrite it).
• /etc/fail2ban/jail.local — your overrides; create with cp jail.conf jail.local.
• /etc/fail2ban/jail.d/*.conf — drop-in fragments per jail (preferred for automation).
• /etc/fail2ban/filter.d/*.conf — regex filters (failregex, ignoreregex).
• /etc/fail2ban/action.d/*.conf — actions: iptables-multiport, ufw, firewallcmd-ipset, abuseipdb.

Jail anatomy

A jail glues a filter to a log file and a ban action:

[sshd]
enabled  = true
port     = ssh
filter   = sshd
logpath  = /var/log/auth.log
maxretry = 5
findtime = 600
bantime  = 3600
ignoreip = 127.0.0.1/8 192.168.0.0/16

Key directives: maxretry (attempts before ban), findtime (sliding window in seconds), bantime (ban duration; -1 means permanent), ignoreip (whitelist — always include your office and management IPs), action (which banaction to invoke).

Popular jails and the recidive trick

Common jails out of the box: sshd, apache-auth, nginx-http-auth, nginx-botsearch, postfix-sasl, dovecot, wordpress. The recidive jail is special: it monitors /var/log/fail2ban.log itself and bans IPs that get repeatedly caught by other jails — typically maxretry=5 with bantime=604800 (one week) or longer. It is the single most effective addition to a default install.

Operations

Manage jails with fail2ban-client: status, status sshd, unban 1.2.3.4, set sshd banip 1.2.3.4, reload. Logs live at /var/log/fail2ban.log. Modern alternatives include CrowdSec (community-shared blocklists, behavioural scenarios) and Suricata (deeper signature-based IDS). Cloud equivalents are AWS WAF rate-based rules and Cloudflare rate limiting. Unlike UFW — a static firewall — fail2ban is reactive: it learns from logs.

FAQ

Can fail2ban lock me out? Yes — that is the most common mishap. Always populate ignoreip = 127.0.0.1/8 ::1 192.168.0.0/16 <your-IP> before enabling, keep a console session open while testing, and run fail2ban-client unban --all if you get stuck.

Can I block a whole country? Yes, by combining fail2ban with GeoIP (maxmind database) and a custom action that drops CIDR ranges, or simply by importing country blocklists into ipset.

Is fail2ban safe on VPNs and shared networks? Be careful — many legitimate users may share an exit IP. Lower maxretry only on services without a captcha, and pair with MFA so a single false positive does not block real users.

Does it work with IPv6? Yes since version 0.10. Make sure your firewall backend (iptables-ipv6, nftables) is loaded and that the jail action supports both families.