By Edy, Tech Expert & Blogger
You might think, “Oh no, not another “how-to” about installing Fail2ban. I admit there are a lot of instructions available. However, I could not find a clear guide on installing Fail2ban with email notification. I love Fail2ban and use it for several Linux servers. For me, receiving an email when Fail2ban triggers an action is important.
What is Fail2ban?
Fail2ban is a log-parsing application that monitors system logs for symptoms of an automated attack. When an attempted compromise is located, using the defined parameters, Fail2ban will add a new rule to iptables to block the IP address of the attacker. For a fixed period of time or permanently. Fail2ban can also alert you by email about an ongoing attack.
How to install Fail2ban?
I’m demonstrating the installation on an Ubuntu server. It’s a pretty quick installation with not much to do.
Make sure your system is up to date
sudo apt-get update
sudo apt-get upgradeInstall Fail2ban
sudo apt install fail2banYou would also need to install email support on your server, such as Sendmail. Postfix is 100% compliant with Sendmail, so it works fine with Fail2ban.
Please also check that the time on your server is set correctly.
timedatectlIf not please check this blog.
Configure Fail2ban
The configuration files are in /etc/fail2ban. The basic configuration is in jail.conf. However, if you want to make changes, create jail.local. Fail2ban is configured such that settings in jail.local override settings in jail.conf. Furthermore, if you update Fail2ban later there is a chance that jail.conf could be overwritten, even as jail.local remains.
Configuration example for ssh with email notification
We all love using ssh to access our servers. But we are not the only ones. Hackers love ssh too. As a special tip, I recommend not using the default port 22. Use another port, configure your firewall and maybe your linux firewall too.
So here is an example jail.local for ssh with email support
[DEFAULT]
ignoreip = 127.0.0.0
bantime = 86400s
findtime = 120s
destemail = yourname@example.com
sender = yourname@examplecom
sendername = Fail2ban
mta = sendmail
action = %(action_mwl)s
[sshd]
enabled = true
port = 12522
filter = sshd
logpath = /var/log/auth.log
maxretry = 3Don’t even try, I don’t have ssh on port 12522. 🙂
bantime = The length of time in seconds for which an IP is banned. If set to a negative number, the ban will be permanent.
findtime = The length of time between login attempts before a ban is set.
maxretry = The number of attempts that can be made to access the server from a single IP before a ban is set.
action = the “mw” after the “action_” tells Fail2ban to send you emails. “mwl” attaches the logs too.
Testing Fail2ban and email notification
systemctl restart fail2ban
fail2ban-client status
fail2ban-client status sshdDo not forget to restart the Fail2ban service after every configuration change. The other two commands will inform you if Fail2ban works. The status switch shows the service Fail2ban is watching. Use the status switch and service name “status sshd” to see more information
You could create your filter using regex. Filters are located in /etc/fail2ban/filter.d. Fail2ban ships with the most essential filter ready to use.
Real-World Example: How Email Notifications Revealed My Proxmox Server Banned by Fail2ban
Proxmox comes with sendmail already installed for email alerts. Many don’t know that sendmail looks for postfix servers on your network and tries to connect to them.
I have a Postfix server at home that uses Fail2ban with email notifications. One day, I got an unexpected email alert. Surprise! My own Fail2ban setup was banning my Proxmox server.
Without these email alerts, I might never have noticed this problem. My servers would have been fighting each other silently for weeks.
The alerts showed me exactly what was happening: Proxmox’s sendmail was trying to connect to my Postfix server, and Fail2ban saw these attempts as suspicious.
The fix was simple. I just added my Proxmox server’s IP address to the “ignoreip” list in my Fail2ban settings:
This real example shows why email alerts for Fail2ban are so valuable. They don’t just warn you about hackers—they also help you spot when your devices aren’t playing nicely together.
I would love to get some feedback from you. Was this article helpful? Please share your opinion with me in the comment section below. Or, if you prefer a more personal touch, feel free to email me directly at info@edywerder.ch. Your thoughts and insights are always appreciated. Additionally, you can connect with me on Reddit at Navigatetech.
Before you go …
If you found the Fail2Ban email notification setup helpful, there’s more you can do to strengthen your server’s security. A great next step is implementing two-factor authentication for SSH access. It’s especially valuable for platforms like Proxmox or any Linux-based system where SSH is a key entry point.
For a clear walkthrough on adding this extra layer of protection, check out securing SSH with 2FA on Linux and Proxmox. It’s a practical way to stay one step ahead of unauthorized access.
Full Disclosure
Any purchases made from clicks on links to products on this page may result in an affiliate commission for me.
Please keep in mind that the quantity or price of items can change at any time.
As an Amazon Associate, I earn from qualifying purchases.
Als Amazon-Partner verdiene ich an qualifizierten Verkäufen
Tech Expert & Blogger
Hi, I’m Edy. With over 30 years of experience in the IT industry, I’ve tackled numerous tech challenges.
As a solopreneur, I write articles to fill the gaps I notice in my work and online.
My mission? To provide clear, step-by-step tech guidance and improve the information you find on the web
Enjoying the content?
