Set up Fail2ban and automatic security updates on Linux/Ubuntu | ComputeBox
VPS & Server
How to set up Fail2ban and automatic updates on Linux/Ubuntu
Two quick measures that make your server noticeably safer: Fail2ban bans persistent login bots, and automatic updates close security holes on their own.
As soon as your server is online, automated bots come knocking and try logins. Two small measures take the wind out of their sails: Fail2ban bans addresses that fail too often, and automatic updates close known security holes without you having to think about it. Both are set up in a few minutes.
9 minBeginnerTested on Ubuntu 24.04Updated 2026-06-17
In short
Install Fail2ban and add an sshd rule, then enable unattended-upgrades. After that the protection runs in the background.
If you have already switched SSH to key login, you are in good shape anyway. Fail2ban still keeps the logs clean and reduces the load from constant attempts.
Fail2ban reads the log files and automatically bans an IP when too many logins from it fail.
Install it:
Create your own configuration. The jail.local file overrides the defaults without an update resetting it:
Add a rule for SSH:
This means five failed attempts within ten minutes lead to a one-hour ban. Enable the service and start it:
Check that the SSH rule is active:
Adjust the ban time
For more peace and quiet you can raise bantime considerably, for example to 24h or 1w. With the option bantime.increment = true, Fail2ban automatically bans repeat offenders for longer and longer.
Installed updates are the simplest security measure there is. On Ubuntu and Debian, unattended-upgrades handles it.
In the prompt you confirm that security updates are installed automatically. From now on the system keeps itself up to date.
Updates sometimes need a reboot
Kernel updates only take effect after a reboot. Schedule an occasional reboot, or enable automatic reboot at a quiet time in /etc/apt/apt.conf.d/50unattended-upgrades.
It is not mandatory, but it is sensible. With key login, brute-force attempts are hopeless anyway, but Fail2ban keeps the logs clean and lowers the load from constant probing.
Can I protect other services too?
Yes. Fail2ban ships rules for many services, for example Nginx or mail servers. You enable them in jail.local following the same pattern as sshd.
Are automatic updates risky?
Pure security updates are very rarely a problem. On critical production systems you test larger upgrades first, but the daily security patches run automatically without trouble.