CloudStick is a server control panel for developers and agencies that lets you manage cloud servers on AWS, DigitalOcean, Vultr, Linode, and Hetzner without using the command line. Plans start at $9/month — the Basic plan covers 1 server with unlimited websites; Pro at $19/month and Business at $49/month cover unlimited servers.

Will features I pay for ever get moved to a higher plan?

No. CloudStick is committed to keeping all features you currently pay for within your existing plan. New features may be added to higher tiers, but existing plan features will never be removed or require a forced upgrade.

What happens to my servers if I cancel CloudStick?

Your servers remain fully operational after cancellation. CloudStick does not host your servers — it manages them. If you cancel, you lose access to the CloudStick dashboard, but your servers continue running on your cloud provider.

Is there a free trial for CloudStick?

Yes. CloudStick offers a 7-day free trial on all paid plans with no credit card required. You can explore every feature and upgrade, downgrade, or cancel at any time during or after the trial.

SERVER HARDENING

June 24, 2026

How to Install and Configure Fail2Ban to Stop Brute-Force Attacks

9 min read

CloudStick Team

Security Specialist

Share this article

Install and Configure Fail2Ban

How Fail2Ban Works

Fail2Ban is a log-analysis daemon that reads service log files, applies regex filters to detect failed authentication attempts, and temporarily bans the offending IP address by adding a block rule via iptables (or UFW, nftables, etc.). When the ban expires, the IP is automatically removed from the block list.

The key components are jails (a combination of a filter and an action for a specific service), filters (regex patterns that match failure events in logs), and actions (what happens when a threshold is reached — typically an iptables ban). Fail2Ban ships with pre-built jails for SSH, Nginx, Apache, Postfix, and dozens of other services.

Install Fail2Ban on Ubuntu 24.04

PREREQUISITE: Fail2Ban requires Python 3 and a working rsyslog or journald setup. Both are present by default on Ubuntu 24.04.

sudo apt update
sudo apt install fail2ban -y
# Verify the service is running
sudo systemctl status fail2ban

Fail2Ban ships with a default SSH jail enabled immediately after install. You can confirm it is already watching SSH logs: sudo fail2ban-client status sshd should show the jail as active with a count of currently monitored IPs.

Configure Jails with jail.local

Never edit jail.conf directly — package updates will overwrite it. Instead, create a jail.local override file that takes precedence:

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo nano /etc/fail2ban/jail.local

Edit the [DEFAULT] section to set your global ban policy:

[DEFAULT]
# Ban duration in seconds (3600 = 1 hour)
bantime  = 3600
# Window to count failures (600 = 10 minutes)
findtime  = 600
# Number of failures before banning
maxretry = 5
# Your own IPs — never ban these
ignoreip = 127.0.0.1/8 ::1 YOUR.IP.ADDRESS
[sshd]
enabled = true
port    = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s

After editing, reload: sudo systemctl reload fail2ban. The ignoreip setting is critical — add your own IP so you cannot accidentally ban yourself during testing.

Protect Nginx and WordPress Login

WordPress sites are a popular brute-force target via the wp-login.php endpoint. Add a Nginx jail to catch repeated HTTP 401/403 responses and ban the source IP. Add to jail.local:

[nginx-http-auth]
enabled  = true
filter   = nginx-http-auth
port     = http,https
logpath  = /var/log/nginx/error.log
maxretry = 6
[nginx-botsearch]
enabled  = true
filter   = nginx-botsearch
port     = http,https
logpath  = /var/log/nginx/access.log
maxretry = 2

Monitor Bans and Unban IPs

The fail2ban-client tool gives you real-time visibility into active jails and bans:

# View all active jails
sudo fail2ban-client status
# View details for a specific jail
sudo fail2ban-client status sshd
# Unban an IP from a jail
sudo fail2ban-client set sshd unbanip 192.168.1.100
# View Fail2Ban log
sudo tail -f /var/log/fail2ban.log

TIP: Use bantime = -1 for a permanent ban, or use increasing ban times with bantime.increment = true to make each subsequent ban from the same IP progressively longer.

CloudStick and Fail2Ban

CloudStick automatically configures Fail2Ban rules when installing its agent on a new server. SSH protection is enabled by default, and you can manage additional firewall and ban rules from the CloudStick dashboard's Firewall section without touching the command line.

For agencies managing multiple servers, this eliminates the need to manually configure Fail2Ban on each machine — the security baseline is consistent across every server connected to CloudStick, applied at provisioning time as part of the agent installation process.