Fail2Ban — Intrusion Prevention for SSH and Services

Introduction

Fail2Ban monitors log files for patterns of repeated authentication failures and dynamically updates firewall rules to block offending IP addresses. It protects SSH, web servers, mail servers, and virtually any service that writes authentication events to a log file, acting as a lightweight intrusion prevention layer.

What Fail2Ban Does

• Parses log files in real time using configurable regex filters
• Bans IPs by adding DROP or REJECT rules to iptables, nftables, or firewalld
• Supports time-based bans with automatic unban after a configurable period
• Ships with pre-built filters for SSH, Apache, Nginx, Postfix, Dovecot, and dozens more
• Sends email or webhook notifications when bans occur

Architecture Overview

Fail2Ban runs as a client-server pair. The server daemon (fail2ban-server) reads jail configurations that pair a log file path with a filter (regex pattern) and an action (firewall command). A polling loop tails each log file, matches lines against the filter, and when the failure threshold is exceeded within the find-time window, the action fires to ban the IP. The client CLI (fail2ban-client) communicates with the server over a Unix socket for status queries and manual ban/unban operations.

Self-Hosting & Configuration

• Install from your distribution's package manager or via pip
• Edit /etc/fail2ban/jail.local to override defaults without touching the shipped config
• Set bantime, findtime, and maxretry per jail to tune sensitivity
• Create custom filters in /etc/fail2ban/filter.d/ for application-specific log formats
• Use fail2ban-regex to test filter patterns against real log samples before deploying

Key Features

• Incremental ban times automatically escalate for repeat offenders
• Supports IPv4 and IPv6 banning across multiple firewall backends
• Whitelisting prevents accidental lockout of trusted IPs and subnets
• Persistent ban database survives restarts so previously banned IPs stay blocked
• Minimal resource footprint makes it suitable for small VPS instances

Comparison with Similar Tools

• CrowdSec — collaborative threat intelligence with shared blocklists, but heavier setup
• SSHGuard — similar log-based banning focused primarily on SSH, less extensible
• DenyHosts — SSH-only protection using TCP wrappers instead of firewall rules
• CSF (ConfigServer Firewall) — broader server firewall suite with built-in brute-force detection

FAQ

Q: Will Fail2Ban lock me out of my own server? A: Add your IP to the ignoreip setting in jail.local. This whitelist prevents banning trusted addresses.

Q: Does it work with containers? A: Yes, but the container must share the host's network namespace or Fail2Ban must run on the host with access to the container's log files.

Q: How do I see all currently banned IPs? A: Run sudo fail2ban-client status <jail-name> to list banned IPs for a specific jail, or sudo fail2ban-client status to see all active jails.

Q: Can I ban permanently? A: Set bantime = -1 in the jail config to make bans permanent. Alternatively, use the recidive jail to escalate repeat offenders to longer bans.

Sources

• https://github.com/fail2ban/fail2ban
• https://www.fail2ban.org/