When you change your default SSH port (usually 22) to a custom port for security reasons, Fail2Ban won't automatically detect this change. The default configuration assumes standard port 22, which means your custom SSH port remains unprotected against brute force attacks unless properly configured.

First, let's check the current Fail2Ban jail status:

sudo fail2ban-client status sshd

This should show you whether the SSH jail is active and which port it's monitoring. If it shows port 22 while your SSH runs on a different port, we need to make adjustments.

The most straightforward method is to edit your jail configuration. Never modify the default jail.conf directly - instead, use the local override file:

sudo nano /etc/fail2ban/jail.local

Add or modify the SSH section:

[sshd]
enabled = true
port    = your_custom_port_number  # e.g., 2222
filter  = sshd
logpath = /var/log/auth.log
maxretry = 5

You can specify ports in multiple ways:

1. Single port: port = 2222
2. Multiple ports: port = 2222,2223
3. Port ranges: port = 2222:2225
4. Service name (if defined in /etc/services): port = ssh-alternate

After making changes, always:

sudo fail2ban-client reload
sudo fail2ban-client status sshd

Check that the port number in the status output matches your custom SSH port.

If Fail2Ban doesn't seem to be working with your custom port:

• Verify your SSH service is actually logging to the specified logpath
• Check that your iptables/nftables rules include the custom port
• Test the filter with: fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/sshd.conf

For a server using port 4567 for SSH, here's a complete jail.local example:

[DEFAULT]
ignoreip = 127.0.0.1/8 192.168.1.0/24
bantime = 1h
findtime = 10m
maxretry = 3

[sshd]
enabled = true
port = 4567
filter = sshd
logpath = /var/log/auth.log
banaction = iptables-multiport

---

When running SSH on non-standard ports (anything other than 22), Fail2Ban requires explicit configuration to monitor the correct authentication logs and apply firewall rules properly. The default configuration assumes port 22, which creates a security gap if not addressed.

First, verify your current jail settings:

sudo fail2ban-client status sshd

To modify the port setting, create or edit the local jail configuration:

sudo nano /etc/fail2ban/jail.local

Add or modify the SSH section (replace 2222 with your custom port):

[sshd]
enabled = true
port = 2222
filter = sshd
logpath = /var/log/auth.log
maxretry = 3

After modifying the configuration, check that Fail2Ban creates proper iptables rules:

sudo iptables -L -n --line-numbers | grep fail2ban

You should see rules targeting your custom port in the output. If not, the service might need restarting:

sudo systemctl restart fail2ban

For servers listening on multiple SSH ports, use this configuration:

[sshd]
enabled = true
port = 2222,2223,2224
filter = sshd
logpath = /var/log/auth.log
maxretry = 3

Validate your regex patterns with:

sudo fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/sshd.conf

Monitor Fail2Ban operations in real-time:

sudo tail -f /var/log/fail2ban.log