Fail2ban email notification

You might think, “Oh no, not another “how-to” about installing Fail2ban. I admit there are a lot of instructions available. However, I could not find a clear guide on installing Fail2ban with email notification. I love Fail2ban and use it for several Linux servers. For me, receiving an email when Fail2ban triggers an action is important.

What is Fail2ban?

Fail2ban is a log-parsing application that monitors system logs for symptoms of an automated attack. When an attempted compromise is located, using the defined parameters, Fail2ban will add a new rule to iptables to block the attacker’s IP address for a fixed period of time or permanently. Fail2ban can also alert you by email about an ongoing attack.

How to install Fail2ban?

I’m demonstrating the installation on an Ubuntu server. It’s a pretty quick installation with not much to do.

Make sure your system is up to date

Bash
sudo apt-get updatensudo apt-get upgrade

Install Fail2ban

Bash
sudo apt install fail2ban

You must also install email support on your server, such as Sendmail. Postfix is 100% compliant with Sendmail, so it works fine with Fail2ban.

Please also check that the time on your server is set correctly.

Bash
timedatectl

If not, please check this blog.

Configure Fail2ban

The configuration files are in /etc/fail2ban. The basic configuration is in jail.conf. However, if you want to make changes, create jail.local. Fail2ban is configured such that settings in jail.local override settings in jail.conf. Furthermore, if you update Fail2ban later, jail.conf could be overwritten, even as jail.local remains.

Configuration example for ssh with email notification

We all love using ssh to access our servers. But we are not the only ones. Hackers love ssh too. As a special tip, I recommend not using the default port 22. Use another port, configure your firewall and maybe your linux firewall too.

So here is an example jail.local for ssh with email support

Bash
[DEFAULT]nignoreip = 127.0.0.0nbantime  = 86400snfindtime  = 120sndestemail = yourname@example.comnsender = yourname@examplecomnsendername = Fail2bannmta = sendmailnaction = %(action_mwl)snn[sshd]nenabled = truenport = 12522nfilter = sshdnlogpath = /var/log/auth.lognmaxretry = 3

Don’t even try, I don’t have ssh on port 12522. 🙂

  • bantime = The time in seconds for which an IP is banned. If set to a negative number, the ban will be permanent.
  • findtime = The time between login attempts before a ban is set.
  • maxretry = The number of attempts that can be made to access the server from a single IP before a ban is set.
  • Action = the “mw” after the “action_” tells Fail2ban to send you emails. “mwl” attaches the logs too.

Testing Fail2ban and email notification

Bash
systemctl restart fail2bannfail2ban-client statusnfail2ban-client status sshd

Do not forget to restart the Fail2ban service after every configuration change. The other two commands will inform you if Fail2ban works. The status switch shows the service that Fail2ban is watching. Use the status switch and service name “status sshd” to see more information.

You could create your filter using regex. Filters are located in /etc/fail2ban/filter.d. Fail2ban ships with the most essential filter ready to use.

YouTube video

Real-World Example: How Email Notifications Revealed My Proxmox Server Banned by Fail2ban

Proxmox comes with sendmail already installed for email alerts. Many don’t know that sendmail looks for Postfix servers on your network and tries to connect to them.

I have a Postfix server at home that uses Fail2ban with email notifications. One day, I got an unexpected email alert. Surprise! My own Fail2ban setup was banning my Proxmox server.

Without these email alerts, I might never have noticed this problem. My servers would have been fighting each other silently for weeks.

The alerts showed me exactly what was happening: Proxmox’s sendmail was trying to connect to my Postfix server, and Fail2ban saw these attempts as suspicious.

The fix was simple. I just added my Proxmox server’s IP address to the “ignoreip” list in my Fail2ban settings:

This real example shows why email alerts for Fail2ban are so valuable. They don’t just warn you about hackers—they also help you spot when your devices aren’t playing nicely together.


I would love to get some feedback from you. Was this article helpful? Please share your opinion with me in the comment section below. Or, if you prefer a more personal touch, feel free to email me directly at info@edywerder.ch. Your thoughts and insights are always appreciated. Additionally, you can connect with me on Reddit at Navigatetech.

Before you go …

If you found the Fail2Ban email notification setup helpful, there’s more you can do to strengthen your server’s security. A great next step is implementing two-factor authentication for SSH access. It’s especially valuable for platforms like Proxmox or any Linux-based system where SSH is a key entry point.

For a clear walkthrough on adding this extra layer of protection, check out securing SSH with 2FA on Linux and Proxmox. It’s a practical way to stay one step ahead of unauthorized access.

Full Disclosure

Any purchases made from clicks on links to products on this page may result in an affiliate commission for me. 

Please keep in mind that the quantity or price of items can change at any time.

As an Amazon  Associate, I earn from qualifying purchases.

Als Amazon-Partner verdiene ich an qualifizierten Verkäufen

Tech Expert & Blogger


Leave a Reply

Your email address will not be published. Required fields are marked *

For security, use of Google's reCAPTCHA service is required which is subject to the Google Privacy Policy and Terms of Use.