# Fail2Ban — Intrusion Prevention for SSH and Services > A daemon that scans log files for repeated authentication failures and automatically bans offending IP addresses via firewall rules. ## Install Save in your project root: # Fail2Ban — Intrusion Prevention for SSH and Services ## Quick Use ```bash # Install on Debian/Ubuntu sudo apt install fail2ban # Copy default config sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local # Enable SSH jail and start sudo systemctl enable --now fail2ban # Check active jails and banned IPs sudo fail2ban-client status sshd ``` ## Introduction Fail2Ban monitors log files for patterns of repeated authentication failures and dynamically updates firewall rules to block offending IP addresses. It protects SSH, web servers, mail servers, and virtually any service that writes authentication events to a log file, acting as a lightweight intrusion prevention layer. ## What Fail2Ban Does - Parses log files in real time using configurable regex filters - Bans IPs by adding DROP or REJECT rules to iptables, nftables, or firewalld - Supports time-based bans with automatic unban after a configurable period - Ships with pre-built filters for SSH, Apache, Nginx, Postfix, Dovecot, and dozens more - Sends email or webhook notifications when bans occur ## Architecture Overview Fail2Ban runs as a client-server pair. The server daemon (`fail2ban-server`) reads jail configurations that pair a log file path with a filter (regex pattern) and an action (firewall command). A polling loop tails each log file, matches lines against the filter, and when the failure threshold is exceeded within the find-time window, the action fires to ban the IP. The client CLI (`fail2ban-client`) communicates with the server over a Unix socket for status queries and manual ban/unban operations. ## Self-Hosting & Configuration - Install from your distribution's package manager or via pip - Edit `/etc/fail2ban/jail.local` to override defaults without touching the shipped config - Set `bantime`, `findtime`, and `maxretry` per jail to tune sensitivity - Create custom filters in `/etc/fail2ban/filter.d/` for application-specific log formats - Use `fail2ban-regex` to test filter patterns against real log samples before deploying ## Key Features - Incremental ban times automatically escalate for repeat offenders - Supports IPv4 and IPv6 banning across multiple firewall backends - Whitelisting prevents accidental lockout of trusted IPs and subnets - Persistent ban database survives restarts so previously banned IPs stay blocked - Minimal resource footprint makes it suitable for small VPS instances ## Comparison with Similar Tools - **CrowdSec** — collaborative threat intelligence with shared blocklists, but heavier setup - **SSHGuard** — similar log-based banning focused primarily on SSH, less extensible - **DenyHosts** — SSH-only protection using TCP wrappers instead of firewall rules - **CSF (ConfigServer Firewall)** — broader server firewall suite with built-in brute-force detection ## FAQ **Q: Will Fail2Ban lock me out of my own server?** A: Add your IP to the `ignoreip` setting in `jail.local`. This whitelist prevents banning trusted addresses. **Q: Does it work with containers?** A: Yes, but the container must share the host's network namespace or Fail2Ban must run on the host with access to the container's log files. **Q: How do I see all currently banned IPs?** A: Run `sudo fail2ban-client status ` to list banned IPs for a specific jail, or `sudo fail2ban-client status` to see all active jails. **Q: Can I ban permanently?** A: Set `bantime = -1` in the jail config to make bans permanent. Alternatively, use the `recidive` jail to escalate repeat offenders to longer bans. ## Sources - https://github.com/fail2ban/fail2ban - https://www.fail2ban.org/ --- Source: https://tokrepo.com/en/workflows/c6951db1-3e47-11f1-9bc6-00163e2b0d79 Author: AI Open Source