I've seen a significant increase in ssh port-knocking on my private servers, so figured I'd give Fail2ban a go.

This guide focuses on Fail2ban using CentOS 6.

For Ubuntu, use this instead;

Ubuntu 14.04 is stated, but works with little to no modifications for the latest Ubuntu 18.04 LTS Bionic Beaver as well.


For Ubuntu-users

See my Ubuntu/Debian-centric quick notes over here; Fail2ban with Ubuntu!

Please note that the Ubuntu notes are more up-to-date than this one!



  1. I followed this excellent guide over at Digital Ocean;

  2. Did some changes to the /etc/fail2ban/jail.local.
    enabled = true
    # Default ssh port setting
    #port = ssh
    # If you use something other than port 22 for ssh, this is where you set it. No, port 2222 is not my real ssh-port!
    port = 2222

    # Ignore any IP's on the internal network and the localhost
    ignoreip =
    bantime = 3600
    maxretry = 3
  3. Restart the fail2ban daemon for good measure.
    # service fail2ban restart
    Stopping fail2ban: [ OK ]
    Starting fail2ban: [ OK ]
  4. Done, it's that simple!



Tips and tricks


Unblocking IP-addresses

Sometimes you need to unblock IP's. Use the fail2ban-client for this.

# fail2ban-client set <JAIL> unbanip <IP>


Unblock IP from the sshd-jail:

#  fail2ban-client set sshd unbanip



List all jails

For some reason fail2ban doesn't have a "fail2ban-client status --all", so here's a script to overcome that.

JAILS=`fail2ban-client status | grep "Jail list" | sed -E 's/^[^:]+:[ \t]+//' | sed 's/,//g'`
for JAIL in $JAILS
fail2ban-client status $JAIL

A shorter version from the same thred on github as above:

# fail2ban-client status | sed -n 's/,//g;s/.*Jail list://p' | xargs -n1 fail2ban-client status 



Got yourself locked out?

Set the the bantime to something shorter and-or see below about whitelisting IP's.

Add or change this line to your /etc/fail2ban/jail.local in the default-block.

# Set bantime to five minutes, default is ten minutes, or 3600 seconds.
bantime = 300



Whitelisting own IP's

Add this line to your /etc/fail2ban/jail.local in the default-block. It might be a single IP-address, a CIDR-mask or something else, as stated inline below.

# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not                          
# ban a host which matches an address in this list. Several addresses can be                             
# defined using space separator.
ignoreip =


Ignore common private networks.

# This will ignore connection coming from common private networks.
# Note that local connections can come from other than just, so
# this needs CIDR range too.
ignoreip =



















Stop Spam Harvesters, Join Project Honey Pot


Get a free SSL certificate!


The leading nonprofit defending digital privacy, free speech, and innovation.


The Linux Foundation provides a neutral, trusted hub for developers and organizations to code, manage, and scale open technology projects and ecosystems.


Kubuntu is an operating system built by a worldwide community of developers, testers, supporters and translators.


 43ef5c89 CanonicalUbuntudarktext