How to set up Fail2ban with nftables and AbuseIPDB

Return to posts

Post by Ozelot on 29/06/2025

Tags: GuideSecurity

Intro

If you're running a Linux server, protecting it from brute-force attacks and other malicious activity is essential. In this guide, we'll walk you through configuring Fail2ban with nftables to block attackers and automatically report malicious IPs to AbuseIPDB.

Why nftables when I have iptables?

First, nftables is the modern replacement for iptables — it's the default firewall framework on Debian 10 and newer. It unifies IPv4 and IPv6 filtering, simplifies rule management, and fits better with modern Linux systems.

Debian 12 no longer installs iptables by default, so if you set up Fail2ban on a fresh Debian 12 system without explicitly installing iptables, Fail2ban will not be able to block any IPs — it will be useless with default configuration because no firewall backend is configured out of the box.

Of course, you can go ahead and install iptables, but in this guide we will focus on the modern, cleaner, and default choice for Debian 12.

Configuration

You have to install fail2ban. You can use apt or whatever:

apt install fail2ban

Set up jail

You need to make some changes in /etc/fail2ban/jail.conf.

You can adjust bantime, findtime, and maxretry to your needs, or leave the default values, which are usually sufficient.

Then, find the [sshd] section. You have to make them look like this:

[sshd]

port = ssh
backend = systemd
action = nftables[name=SSH,port=ssh,protocol=tcp]
         abuseipdb[abuseipdb_category="18,22"]

Or if you don't want to use AbuseIPDB, leave the last line like this:

action = nftables[name=SSH,port=ssh,protocol=tcp]

Now fail2ban will use nftables to ban malicious addresses.

Set up AbuseIPDB

Create or edit /etc/fail2ban/action.d/abuseipdb.conf:

[Definition]
actionban = lgm=$(printf '%%.1000s' "<matches>"); curl -sSf "https://api.abuseipdb.com/api/v2/report" \
  -H "Accept: application/json" \
  -H "Key: <abuseipdb_apikey>" \
  --data-urlencode "comment=$lgm" \
  --data-urlencode "ip=<ip>" \
  --data "categories=<abuseipdb_category>"

[Init]
abuseipdb_apikey = "your-abuseipdb-apikey-here"

You can generate your API key after logging into your AbuseIPDB account: AbuseIPDB -> User Account -> API.

Test your configuration

Finally, restart Fail2ban:

systemctl restart fail2ban

Then be sure to check the status:

systemctl status fail2ban

If everything is set up correctly, Fail2ban will block IPs that exceed allowed attempts via nftables, and report them to AbuseIPDB if configured.

What do you think about it?

Loading comments...