diff --git a/debian/fail2ban.default b/debian/fail2ban.default
index e317a468..ffa444f4 100644
--- a/debian/fail2ban.default
+++ b/debian/fail2ban.default
@@ -21,3 +21,19 @@
 # Command line options for Fail2Ban. Refer to "fail2ban-client -h" for
 # valid options.
 FAIL2BAN_OPTS=""
+
+# Run fail2ban as a different user. If not set, fail2ban
+# will run as root.
+#
+# The user is not created automatically.
+# The user can be created e.g. with
+#    useradd --system --no-create-home --home-dir / --groups adm fail2ban
+# Log files are readable by group adm by default. Adding the fail2ban
+# user to this group allows it to read the logfiles.
+#
+# Another manual step that needs to be taken is to allow write access
+# for fail2ban user to fail2ban log files. The /etc/init.d/fail2ban
+# script will change the ownership when starting fail2ban. Logrotate
+# needs to be configured seperately, see /etc/logrotate.d/fail2ban.
+#
+# FAIL2BAN_USER="fail2ban"
diff --git a/debian/fail2ban.init b/debian/fail2ban.init
index b0ed2c65..70a85f63 100755
--- a/debian/fail2ban.init
+++ b/debian/fail2ban.init
@@ -33,6 +33,9 @@ SOCKFILE=`grep -h '^[^#]*socket *=' /etc/$NAME/$NAME.conf /etc/$NAME/$NAME.local
 # Exit if the package is not installed
 [ -x "$DAEMON" ] || exit 0
 
+# Run as root by default.
+FAIL2BAN_USER=root
+
 # Read configuration variable file if it is present
 [ -r /etc/default/$NAME ] && . /etc/default/$NAME
 DAEMON_ARGS="$FAIL2BAN_OPTS"
@@ -103,7 +106,17 @@ do_start()
 	# Assure that /var/run/fail2ban exists
 	[ -d /var/run/fail2ban ] || mkdir -p /var/run/fail2ban
 
-	start-stop-daemon --start --quiet --chuid root --exec $DAEMON -- \
+	if [ "$FAIL2BAN_USER" != "root" ]; then
+		# Make the socket directory, IP lists and fail2ban log
+		# files writable by fail2ban
+		chown "$FAIL2BAN_USER" /var/run/fail2ban
+		# Create the logfile if it doesn't exist
+		touch /var/log/fail2ban.log
+		chown "$FAIL2BAN_USER" /var/log/fail2ban.log
+		find /proc/net/xt_recent -name 'fail2ban-*' -exec chown "$FAIL2BAN_USER" {} \;
+	fi
+
+	start-stop-daemon --start --quiet --chuid "$FAIL2BAN_USER" --exec $DAEMON -- \
 		$DAEMON_ARGS start > /dev/null\
 		|| return 2
 
diff --git a/debian/fail2ban.logrotate b/debian/fail2ban.logrotate
index 78137684..7a4ed971 100644
--- a/debian/fail2ban.logrotate
+++ b/debian/fail2ban.logrotate
@@ -9,5 +9,9 @@
     postrotate
 	fail2ban-client set logtarget /var/log/fail2ban.log >/dev/null
     endscript
+
+    # If fail2ban runs as non-root it still needs to have write access
+    # to logfiles.
+    # create 640 fail2ban adm
     create 640 root adm
 }