Common Templates
These are essential templates that should be enabled on most servers.
sshd
SSH brute force protection - the most important jail for any internet-facing server.
| Setting | Default |
|---|---|
| Port | 22 |
| Log Path | Auto-detected |
| Max Retry | 5 |
| Find Time | 10 minutes |
| Ban Time | 1 hour |
How It Works
Monitors SSH authentication logs for failed login attempts:
- Password failures
- Invalid users
- Key authentication failures
Uses the built-in fail2ban sshd filter which automatically detects:
/var/log/auth.log(Debian/Ubuntu)/var/log/secure(RHEL/CentOS)
Configuration Tips
For High-Security Servers:
maxretry: 3
bantime: 24h
For Servers with Key-Only Auth: Still enable sshd jail - it catches attempts before they're rejected.
recidive
Bans repeat offenders - IPs that get banned multiple times get banned for longer.
| Setting | Default |
|---|---|
| Port | All ports |
| Log Path | /var/log/fail2ban.log |
| Max Retry | 3 |
| Find Time | 1 day |
| Ban Time | 1 week |
How It Works
Monitors fail2ban's own log for ban events:
- IP gets banned by any jail (e.g., sshd)
- IP gets unbanned (ban time expires)
- IP gets banned again by any jail
- After 3 bans within 1 day → recidive ban for 1 week
Configuration
Recidive uses %(banaction_allports)s which bans on all ports, not just the original service.
Why Use Recidive?
- Escalating response: Repeat attackers face increasingly long bans
- Cross-jail protection: Attacker trying SSH then HTTP gets caught
- Reduces log noise: Long bans mean fewer repeat attacks
Recommended Settings
Keep defaults - recidive is meant to catch persistent attackers:
maxretry: 3 # 3 bans within a day
findtime: 1d # Look back 1 day
bantime: 1w # Ban for 1 week
Recommendations
For any internet-facing server:
- Always enable sshd - Most attacked service
- Always enable recidive - Catches repeat offenders
- Consider lowering sshd maxretry - 3-5 attempts is reasonable
- Monitor ban frequency - High numbers may indicate targeted attack