Fail2Ban is a log-parsing application designed to protect network services from brute-force attacks. It runs as a background daemon, monitoring system logs such as /var/log/auth.log or /var/log/nginx/error.log for patterns indicating failed authentication attempts or unauthorized access probes.
When a specific IP address exceeds a predefined threshold of failures within a set timeframe, Fail2Ban automatically modifies firewall rules using iptables, nftables, or firewalld to drop incoming traffic from that source. This proactive approach prevents attackers from exhausting server resources or gaining access through persistence.
How it works
The system operates through "jails," which combine a filter (regex patterns to match log entries) and an action (scripts to execute for banning). Administrators define key parameters: bantime for the block duration, findtime for the observation window, and maxretry for the failure limit before a ban is triggered.
It is standard practice for securing SSH, Dovecot, and web applications. For instance, setting maxretry = 3 and bantime = 3600 ensures that any bot attempting to guess a password is blocked for one hour after the third failed attempt, significantly reducing the overall attack surface of the infrastructure.