System Administration

Excellent System Utilities: Fail2ban – ban hosts that cause multiple authentication errors

Last Updated on May 28, 2022

In Operation

Fail2ban can monitor a variety of protocols including SSH, HTTP, and SMTP. The software comes out-of-the-box ready to read many standard log files and is easily configured to read any log file of your choosing, for any error you wish.

The software is primarily focused on SSH attacks. You can setup Fail2Ban to provide brute-force protection for SSH on your server. This ensures that your server is secure from brute-force attacks. It also allows you to monitor the strength of the attacks in regards to the number of authentication attempts that are being made.

Since legitimate logins usually take no more than three tries to succeed (and with SSH keys, no more than one), a server being spammed with unsuccessful logins indicates attempted malicious access. When an attempted compromise is located, using the defined parameters, Fail2ban adds a new rule to iptables to block the IP address of the attacker, either for a configurable amount of time, or permanently. Fail2ban can also alert you through email that an attack is occurring.

Fail2Ban is extensible, allowing for the creation of unique search patterns and response behaviors.

Features include:

  • Python based actions.
  • Database support.
  • Multi-line parsing in filters.
  • Custom date time support for filters.
  • Timezone awareness by default.
  • Timeout on ban commands.
  • Character set awareness in log files.
  • Client/Server architecture. The Server daemon monitors log file(s) and executes actions when a host is to be banned. The configuration of the Server is done by the Client which handles reading of configuration files. Communication between the Client and the Server is done through a socket. A protocol is defined. This allows dynamic reconfiguration of the Server and communication with it in order to retrieves, per example, statistics.
  • Multi-threaded.
  • Highly configurable using split configuration files.
  • Gamin/Pyinotify support. Gamin is a file and directory monitoring system defined to be a subset of the FAM (File Alteration Monitor) system.
  • Parses log files and look for given patterns.
  • Executes command(s) when a pattern has been detected for the same IP address for more than X times to ban that address. X can be changed. After a given amount of time, execute another command in order to unban the IP address.
  • Uses Netfilter/Iptables by default but can also use TCP Wrapper (/etc/hosts.deny) and many other firewalls/actions.
  • Handles log files rotation.
  • Can handle multiple services at once (sshd, Apache, qmail, asterisk, vsftpd, etc).
  • Resolves DNS hostname to IP address.

Next page: Page 3 – Summary

Pages in this article:
Page 1 – Introduction / Installation
Page 2 – In Operation
Page 3 – Summary

Complete list of articles in this series:

Essential System Tools
AlacrittyInnovative, hardware-accelerated terminal emulator
BleachBitSystem cleaning software. Quick and easy way to service your computer
bottomGraphical process/system monitor for the terminal
btop++Monitor usage and stats for CPU, memory, disks, network and processes
catfishVersatile file searching software
ClonezillaPartition and disk cloning software
CPU-XSystem profiler with both a GUI and text-based
CzkawkaFind duplicate files, big files, empty files, similar images, and much more
ddrescueData recovery tool, retrieving data from failing drives as safely as possible
dustMore intuitive version of du written in Rust
f3Detect and fix counterfeit flash storage
Fail2banBan hosts that cause multiple authentication errors
fdupesFind or delete duplicate files
FirejailRestrict the running environment of untrusted applications
GlancesCross-platform system monitoring tool written in Python
GPartedResize, copy, and move partitions without data
GreenWithEnvyNVIDIA graphics card utility
gtopSystem monitoring dashboard
gWakeOnLANTurn machines on through Wake On LAN
hyperfineCommand-line benchmarking tool
inxiCommand-line system information tool that's a time-saver for everyone
journalctlQuery and display messages from the journal
kmonManage Linux kernel modules with this text-based tool
KrusaderAdvanced, twin-panel (commander-style) file manager
NeofetchSystem information tool written in Bash
NmapNetwork security tool that builds a "map" of the network
nmonSystems administrator, tuner, and benchmark tool
nnnPortable terminal file manager that's amazingly frugal
petSimple command-line snippet manager
PingnooGraphical representation for traceroute and ping output
ps_memAccurate reporting of software's memory consumption
SMCMulti-featured system monitor written in Python
TimeshiftReliable system restore tool
QDirStatQt-based directory statistics
QJournalctlGraphical User Interface for systemd’s journalctl
TLPMust-have tool for anyone running Linux on a notebook
UnisonConsole and graphical file synchronization software
VeraCryptStrong disk encryption software
VentoyCreate bootable USB drive for ISO, WIM, IMG, VHD(x), EFI files
WTFPersonal information dashboard for your terminal
Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Inline Feedbacks
View all comments