Running services like SSH, FTP or HTTP on an EC2 instance can leave you open to brute-force attacks. Fail2Ban is a lightweight, open-source tool that watches your logs and automatically blocks IPs that try too many failed logins. Follow along to see how it works and how to set it up on Ubuntu/Debian.
Content
-
- What Is Fail2Ban? How Does It Work?
-
- Implement Fail2Ban on an EC2 Instance
-
- Check & Unban IPs
-
- Why a 2-Day Ban?
-
- Conclusion
1. What Is Fail2Ban? How Does It Work?
Fail2Ban helps defend against brute-force attacks by:
-
Log Monitoring
It continuously scans log files (e.g./var/log/auth.log) for failed login attempts. -
Pattern Matching
It uses configurable filters to spot patterns likeFailed password for invalid userin your SSH, FTP or HTTP logs.
-
Blocking Action
Once an IP exceeds the allowed number of failures (maxretry), Fail2Ban automatically adds it to your firewall (iptables or firewalld) for a set time (bantime). -
Automatic Unban
After the ban period expires, the IP is removed from the block list. You can also unban manually if needed:sudo fail2ban-client unban <IP_ADDRESS>
2. Implement Fail2Ban on an EC2 Instance
These steps assume an Ubuntu/Debian AMI on EC2.
Step 1: SSH into Your EC2
ssh -i /path/to/your/key.pem ubuntu@your-ec2-public-ip
Step 2: Update the System
sudo apt-get update && sudo apt-get upgrade -y
Step 3: Install Fail2Ban
sudo apt-get install fail2ban -y
Step 4: Configure Fail2Ban
-
Copy the default config so updates won’t overwrite it:
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local -
Edit
/etc/fail2ban/jail.local:sudo nano /etc/fail2ban/jail.local -
Enable SSH protection by finding the
[sshd]section and replacing it with:[sshd] enabled = true port = ssh filter = sshd logpath = /var/log/auth.log maxretry = 5 # allow 5 failed attempts bantime = 172800 # ban for 2 days (172800 seconds) findtime = 600 # count retries over 10 minutes (600s) action = iptables[name=SSH, port=ssh, protocol=tcp]- maxretry: how many failures before banning
- bantime: how long to ban (2 days = 172800 s)
- findtime: window for counting failures (10 min = 600 s)
-
Save and exit (Ctrl + X, Y, Enter).
Step 5: Start & Enable
sudo systemctl start fail2ban
sudo systemctl enable fail2ban
Step 6: Verify
-
Check overall status:
sudo systemctl status fail2ban -
Check SSH jail status:
sudo fail2ban-client status sshd
3. Check & Unban IPs
-
View banned IPs for SSH:
sudo fail2ban-client status sshdYou’ll see something like:
Status for the jail: sshd |- Filter |- Currently banned: 2 |- Total banned: 10 `- Banned IP list: 192.168.1.1 203.0.113.5 -
Unban a single IP:
sudo fail2ban-client unban 192.168.1.1 -
Unban multiple IPs:
sudo fail2ban-client unban 192.168.1.1 203.0.113.5 -
Unban all:
sudo fail2ban-client unban --all
4. Why a 2-Day Ban?
- Stronger Deterrence — Keeps attackers away longer.
- Bot Timeout — Automated tools often move on if they don’t break in quickly.
- Admin Grace — Gives you time to spot false positives and unban legit users.
- Repeat Attack Protection — Stops repeated attempts in the same window.
5. Conclusion
By implementing Fail2Ban on your Ubuntu/Debian EC2 instance, you can significantly reduce the risk of SSH brute-force attacks and other unauthorized access attempts. The decision to ban for 2 days offers a robust defense mechanism while still allowing administrators to review and manage false positives quickly.