🟠 High   ⏱ 5–30 min  Last verified: 20 May 2026
Affected versions: Ubuntu 26.04 LTS

📖 ~1 min read

Table of contents
  1. Symptom & Impact
  2. Environment & Reproduction
  3. Root Cause Analysis
  4. Quick Triage
  5. Step-by-Step Diagnosis
  6. Solution – Primary Fix
  7. Solution – Alternative Approaches
  8. Verification & Acceptance Criteria
  9. Rollback Plan
  10. Prevention & Hardening
  11. Related Errors & Cross-Refs
  12. References & Further Reading

Symptom & Impact

Brute-force SSH attempts continue without bans, increasing compromise risk.

Environment & Reproduction

Often occurs after log path changes or incorrect jail backend settings.

sudo fail2ban-client status
sudo journalctl -u ssh -n 100 --no-pager

Root Cause Analysis

Fail2ban cannot parse expected auth failures due to wrong filter or log source.

Quick Triage

Verify fail2ban service, enabled jails, and backend mode.

systemctl status fail2ban
sudo fail2ban-client status
sudo fail2ban-client status sshd

Step-by-Step Diagnosis

Test failregex against actual SSH log lines and inspect jail config precedence.

sudo grep -E 'Failed password|Invalid user' /var/log/auth.log | tail -n 50
sudo fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/sshd.conf
sudo grep -R '^[sshd]' -n /etc/fail2ban
Illustrative mockup for ubuntu-26-04-lts — fail2ban_no_ban
Repeated SSH failures with no fail2ban action — Illustrative mockup — Progressive Robot

Solution – Primary Fix

Set correct logpath/backend and enable sshd jail with sane ban thresholds.

Still having issues? Our IT Consulting team can diagnose and resolve this for you. Get in touch for a free consultation.

sudo tee /etc/fail2ban/jail.d/sshd.local >/dev/null <<'EOF'
[sshd]
enabled = true
backend = systemd
maxretry = 5
bantime = 1h
findtime = 10m
EOF
sudo systemctl restart fail2ban
Illustrative mockup for ubuntu-26-04-lts — fail2ban_ban_active
fail2ban jail active and source addresses banned — Illustrative mockup — Progressive Robot

Solution – Alternative Approaches

Pair fail2ban with SSH key-only auth and disabled password logins.

sudoedit /etc/ssh/sshd_config
sudo systemctl reload ssh

Verification & Acceptance Criteria

Repeated failed logins trigger bans visible in fail2ban jail status.

sudo fail2ban-client status sshd
sudo iptables -S | grep fail2ban || true

Rollback Plan

Remove custom jail override and restart fail2ban.

sudo rm -f /etc/fail2ban/jail.d/sshd.local
sudo systemctl restart fail2ban

Prevention & Hardening

Continuously monitor auth failure rate and tune ban policy to threat profile.

Related to UFW ordering issues and custom SSH log format changes.

Related tutorial: View the step-by-step tutorial for Ubuntu 26.04 LTS.

View all Ubuntu 26.04 LTS tutorials on the Tutorials Hub →

Browse all common problems & solutions on the Tutorials Hub.

References & Further Reading

Fail2ban SSH jail configuration and Ubuntu hardening references.

Need Expert Help?

If you cannot resolve this yourself, our team offers hands-on Server Management, Managed IT Services, and flexible Support Plans. Contact us today — we respond within one business day.