The default directory for fail2ban is /etc/fail2ban, which contains a config file called jail.conf - we should copy this file so that we may edit it.
Then we may open the file:
Changing the line ignoreip = ... will allow you to configure fail2ban not to ban ip's contained in this parameter.
The default is set to not ban the local machine, but more ip's may be added at the end, space separated.
The above parameter, counts in seconds the length of time a user remains on ban.
Also important are the findtime and maxretry parameters.
The maxretry variable sets the number of tries a client has to authenticate within a window of time defined byfindtime, before being banned. With the default settings, the fail2ban service will ban a client that unsuccessfully attempts to log in 3 times within a 10 minute window.
Furthermore, destemail, sendername, and mta may be used to send email notifications if you have a mail server setup.
The backend parameter may be left on default setting of auto.
In the actions section you will parameters such as banaction describes the steps that fail2ban will take to ban a matching IP address, which refers back to the deault iptables-multiport - the contents of which can be found at
Additionally, one may alter the protocol from TCP to UDP in this line as well, depending on which one you want fail2ban to monitor.
Next up is the SSH section:
Most of these options are just fine with the default settings, except for the case where you have changed the standard SSH port. If you have changed the port the you change the parameter value to reflect the port you have assigned.
Once you have finished, you must restart the fail2ban service for the changes to take effect:
You may inspect your iptable rules that were implemented: