Last Updated on May 28, 2022
In Operation
Fail2ban can monitor a variety of protocols including SSH, HTTP, and SMTP. The software comes out-of-the-box ready to read many standard log files and is easily configured to read any log file of your choosing, for any error you wish.
The software is primarily focused on SSH attacks. You can setup Fail2Ban to provide brute-force protection for SSH on your server. This ensures that your server is secure from brute-force attacks. It also allows you to monitor the strength of the attacks in regards to the number of authentication attempts that are being made.
Since legitimate logins usually take no more than three tries to succeed (and with SSH keys, no more than one), a server being spammed with unsuccessful logins indicates attempted malicious access. When an attempted compromise is located, using the defined parameters, Fail2ban adds a new rule to iptables to block the IP address of the attacker, either for a configurable amount of time, or permanently. Fail2ban can also alert you through email that an attack is occurring.
Fail2Ban is extensible, allowing for the creation of unique search patterns and response behaviors.
Features include:
- Python based actions.
- Database support.
- Multi-line parsing in filters.
- Custom date time support for filters.
- Timezone awareness by default.
- Timeout on ban commands.
- Character set awareness in log files.
- Client/Server architecture. The Server daemon monitors log file(s) and executes actions when a host is to be banned. The configuration of the Server is done by the Client which handles reading of configuration files. Communication between the Client and the Server is done through a socket. A protocol is defined. This allows dynamic reconfiguration of the Server and communication with it in order to retrieves, per example, statistics.
- Multi-threaded.
- Highly configurable using split configuration files.
- Gamin/Pyinotify support. Gamin is a file and directory monitoring system defined to be a subset of the FAM (File Alteration Monitor) system.
- Parses log files and look for given patterns.
- Executes command(s) when a pattern has been detected for the same IP address for more than X times to ban that address. X can be changed. After a given amount of time, execute another command in order to unban the IP address.
- Uses Netfilter/Iptables by default but can also use TCP Wrapper (/etc/hosts.deny) and many other firewalls/actions.
- Handles log files rotation.
- Can handle multiple services at once (sshd, Apache, qmail, asterisk, vsftpd, etc).
- Resolves DNS hostname to IP address.
Pages in this article:
Page 1 – Introduction / Installation
Page 2 – In Operation
Page 3 – Summary
Complete list of articles in this series:
| Essential System Tools | |
|---|---|
| Alacritty | Innovative, hardware-accelerated terminal emulator |
| BleachBit | System cleaning software. Quick and easy way to service your computer |
| bottom | Graphical process/system monitor for the terminal |
| btop++ | Monitor usage and stats for CPU, memory, disks, network and processes |
| catfish | Versatile file searching software |
| Clonezilla | Partition and disk cloning software |
| CPU-X | System profiler with both a GUI and text-based |
| Czkawka | Find duplicate files, big files, empty files, similar images, and much more |
| ddrescue | Data recovery tool, retrieving data from failing drives as safely as possible |
| dust | More intuitive version of du written in Rust |
| f3 | Detect and fix counterfeit flash storage |
| Fail2ban | Ban hosts that cause multiple authentication errors |
| fdupes | Find or delete duplicate files |
| Firejail | Restrict the running environment of untrusted applications |
| Glances | Cross-platform system monitoring tool written in Python |
| GParted | Resize, copy, and move partitions without data |
| GreenWithEnvy | NVIDIA graphics card utility |
| gtop | System monitoring dashboard |
| gWakeOnLAN | Turn machines on through Wake On LAN |
| hyperfine | Command-line benchmarking tool |
| inxi | Command-line system information tool that's a time-saver for everyone |
| journalctl | Query and display messages from the journal |
| kmon | Manage Linux kernel modules with this text-based tool |
| Krusader | Advanced, twin-panel (commander-style) file manager |
| Neofetch | System information tool written in Bash |
| Nmap | Network security tool that builds a "map" of the network |
| nmon | Systems administrator, tuner, and benchmark tool |
| nnn | Portable terminal file manager that's amazingly frugal |
| pet | Simple command-line snippet manager |
| Pingnoo | Graphical representation for traceroute and ping output |
| ps_mem | Accurate reporting of software's memory consumption |
| SMC | Multi-featured system monitor written in Python |
| Timeshift | Reliable system restore tool |
| QDirStat | Qt-based directory statistics |
| QJournalctl | Graphical User Interface for systemd’s journalctl |
| TLP | Must-have tool for anyone running Linux on a notebook |
| Unison | Console and graphical file synchronization software |
| VeraCrypt | Strong disk encryption software |
| Ventoy | Create bootable USB drive for ISO, WIM, IMG, VHD(x), EFI files |
| WTF | Personal information dashboard for your terminal |