Fail2ban
Fail2ban is an intrusion prevention software framework that protects Linux servers against brute-force attacks and malicious login attempts. It scans log files (like /var/log/auth.log or /var/log/nginx/access.log) for repeated failed authentication attempts and temporarily bans offending IP addresses by updating firewall rules. It is the standard first line of defence for SSH, web servers, email services, and any service that logs authentication failures.
Key Features
- Log-based attack detection — Monitors system and application logs for patterns of repeated failed authentication attempts
- Automatic IP banning — Updates firewall rules (iptables, nftables, or firewalld) to block offending IP addresses temporarily
- Configurable thresholds — Set max retry attempts, find time window, and ban duration independently per service
- Service-specific filters — Built-in filters for SSH, Apache, Nginx, Postfix, Dovecot, ProFTPd, vsftpd, Asterisk, and dozens more
- Email notifications — Send alerts when IPs are banned or unbanned, with full log excerpts
- Flexible ban actions — Supports iptables/nftables reject, Cloudflare API ban via custom action scripts, and hosts.deny updates
- Automatic unbanning — Bans expire after a configurable period, so legitimate users with temporary config issues are not locked out permanently
- IPv4 and IPv6 support — Handles both address families with separate jails if needed
- Whitelist support — Permanently exclude specific IPs or IP ranges from banning (essential for trusted networks and monitoring systems)
Why Use Fail2ban?
If you run a public-facing Linux server, automated brute-force attacks will begin within hours of going online. Fail2ban detects and blocks these attacks automatically, reducing authentication attempts from thousands per day to zero — with no manual monitoring required. It is lightweight, easy to configure, and one of the most effective security tools you can install.
Use Cases
- SSH brute-force protection — Block automated login attempts against SSH on port 22, the single most attacked service on the public internet
- Web application security — Protect WordPress, Nextcloud, and other web app login pages from brute-force and dictionary attacks
- Mail server protection — Block repeated failed SMTP, IMAP, and POP3 authentication attempts
- API abuse prevention — Create custom jail filters for API rate limiting at the firewall level
Platform
Linux · macOS (BSD port available)
Licence
GPL v2
Website
http://www.fail2ban.org
Views: 1