How to Install Fail2ban with Email notification

Fail2ban is easy to install. Getting email notifications to work takes a bit more effort. Often, Fail2ban runs fine, bans work, but no alert ever lands in your inbox. Email saved me once when my Proxmox box got banned by mistake. I caught it immediately and fixed it by adding an ignoreip. Without that alert, the issue would have lingered.

This tutorial covers the full setup: Fail2ban installation, Postfix for sending mail, jail configuration, and a test to confirm emails actually arrive. Written for Ubuntu 22.04/24.04, but the same principles apply elsewhere.

What is Fail2ban?

Fail2ban is a free, open-source tool that monitors log files for suspicious activity, such as repeated failed logins. When it detects an attack, it automatically blocks the offending IP address using firewall rules. Besides blocking, Fail2ban can also send you an email notification about the activity.

This guide focuses on protecting SSH with Fail2ban. But Fail2ban can monitor many other services too, such as Asterisk (VoIP), Postfix, https like Nginx, or Apache, and even custom iptables rules. The setup principle is the same: define a jail, point it at a log file, and choose an add action.

Install Fail2ban with email support to send emails (Ubuntu Server)

I’m using Ubuntu for this example. The installation is quick; make sure your server is up to date first:

sudo apt update && sudo apt upgrade -y

Now install Fail2ban:

sudo apt install fail2ban -y

For email alerts, you also need a mail transfer agent (MTA). The simplest option is Postfix, which works out of the box with Fail2ban:

sudo apt install postfix -y

During installation, Postfix asks for a configuration type. Choose ‘Internet Site’ and enter your server’s hostname.

Confirm your server clock is correct (important for logs and email headers). If it’s wrong, adjust it with timedatectl set-timezone before continuing.

timedatectl

If the time is wrong, adjust it with timedatectl set-timezone before continuing.

Configure Fail2ban with a specific jail for the service

To configure Fail2ban for email notifications, add specific actions to the jail configuration files.

Fail2ban’s main configuration file is /etc/fail2ban/jail.conf. Never edit this file directly. It may be overwritten by updates.

Instead, create /etc/fail2ban/jail.local. Settings in jail.local override jail.conf and stay safe during package upgrades.

In jail.local, you define:

• Global defaults (e.g., ban time, email settings).
• Service-specific jails (e.g., sshd, nginx, Postfix).

Here’s an example configuration file for SSH with email notifications:

sudo nano /etc/fail2ban/jail.local

[DEFAULT]
ignoreip = 127.0.0.1
bantime  = 86400
findtime = 120
maxretry = 3
destemail = yourname@example.com
sender = fail2ban@example.com
sendername = Fail2ban
mta = sendmail
action = %(action_mwl)s
[sshd]
enabled = true
port    = 12522
filter  = sshd
logpath = /var/log/auth.log

Tip: Don’t leave SSH on port 22. Update your firewall rules and reflect that port in your jail configuration.

Explanation:

• ignoreip → trusted IPs (never banned).
• bantime → how long (in seconds) an IP is banned (86400 = 24h).
• findtime + maxretry → how many failed attempts within a time window trigger a ban.
• destemail / sender → email details.
• mta → Postfix provides a sendmail-compatible command, so mta = sendmail it works even though we installed Postfix.
• action = %(action_mwl)s → ban + send email + include logs.
  Other options: action_ = ban only. action_mw = ban + email. action_mwl = ban + email + log lines.

Restart the Fail2Ban service after making configuration changes for the changes to take effect.

sudo systemctl restart fail2ban

Once the command executed, Fail2ban reloads with your new jail configuration.

Test Fail2ban & Email Notification

After editing jail.local, reload Fail2ban and check the SSH jail:

sudo systemctl restart fail2ban
sudo fail2ban-client status
sudo fail2ban-client status sshd

Status for the jail: sshd
|- Filter
| |- Currently failed: 0
| - Total failed: 0 – Actions
|- Currently banned: 0
`- Total banned: 0

You should see the sshd jail enabled, with a list of log paths and zero banned IPs.

Send a test email

Make sure the server can send mail before you test bans:

printf "Subject: Fail2ban Test
Fail2ban email test" | sendmail yourname@example.com

If nothing arrives, check your mail logs:

sudo tail -n 50 /var/log/mail.log

On some systems using systemd only: journalctl -u postfix -n 50

Trigger a ban on purpose (safe test)

To test email notifications in Fail2Ban, deliberately fail an authentication attempt (e.g., by entering a wrong password multiple times) and check email for alerts.(use your custom SSH port):

ssh -p 12522 wronguser@your.server.ip
# enter a wrong password 3+ times (based on your maxretry)
# - p is the ssh port number

Now confirm the ban:

sudo fail2ban-client status sshd

You should see 1 banned IP. An email with subject similar to [Fail2Ban] sshd should land in your inbox (with logs, because we used %(action_mwl)s).

Unban yourself (if needed)

To find the banned IP, run:

sudo fail2ban-client status sshd

If you locked out a legit IP during testing:

sudo fail2ban-client set sshd unbanip <YOUR_IP>

Common gotchas (quick fixes)

• No email received → Check /var/log/mail.log, spam folder, and make sure destemail is correct for the mail server.
• No bans → Confirm logpath matches your distro (/var/log/auth.log on Ubuntu).
• Wrong time in emails → Fix server clock: timedatectl set-timezone Europe/Zurich.
• MTA not found → Reinstall: sudo apt install postfix -y (choose Internet Site)
• Emails land in spam → Add an SPF record for your server’s domain. Or relay through Gmail/Brevo for better deliverability. sendmail: command not found → Postfix may not be running. Check with sudo systemctl status postfix.

---

How do I Whitelist permanently?

edit /etc/fail2ban/jail.local
[DEFAULT]
ignoreip = 127.0.0.1 ::1 192.0.2.10 203.0.113.0/24
Only for SSH (put inside the jail):
[sshd]
ignoreip = 127.0.0.1 ::1 192.0.2.10 203.0.113.0/24

Real-World Example: How Email Notifications Revealed My Proxmox Server Banned by Fail2ban

Proxmox comes with sendmail already installed for email alerts. Many don’t know that sendmail looks for Postfix servers on your network and tries to connect to them.

I have a Postfix server at home that uses Fail2ban with email notifications. One day, I got an unexpected email alert. Surprise! My own Fail2ban setup was banning my Proxmox server.

Without these email alerts, I might never have noticed this problem. My servers would have been fighting each other silently for weeks.

The alerts showed me exactly what was happening: Proxmox’s sendmail was trying to connect to my Postfix server, and Fail2ban saw these attempts as suspicious.

The fix was simple: I added the Proxmox server’s IP to the safe list.

ignoreip = 127.0.0.1 <Proxmox-IP>

This experience reinforced why I always enable email alerts. They don’t just warn you about hackers — they also reveal when your own devices misbehave.

Final Thoughts

Setting up Fail2ban with email notifications takes only a few extra steps. You’ll know right away when suspicious activity occurs, or when your own devices misbehave.

If you’re running this on a VPS or cloud provider, many data centers block or limit outgoing SMTP (port 25). If emails don’t arrive, check with your host. A workaround is to configure Postfix (or msmtp) to relay mail through a trusted SMTP service like Gmail, your ISP, or a transactional email provider. Even when mail is sent successfully, it may land in spam. Adding an SPF record for your domain helps.

With that in place, Fail2ban isn’t just silently protecting your server — it’s actively keeping you informed.

---