Frequently Asked Question

What does fail2ban actually do, and is it still worth running?

Fail2ban is a small Python daemon that tails log files (sshd, nginx, postfix, etc.), matches failed-login patterns with regular expressions defined in filter.d/, counts hits per source IP, and when a threshold is exceeded calls a firewall action, usually an iptables or nftables rule, that drops further packets from that address for a configurable ban time. The whole machinery is configured under /etc/fail2ban/, with site overrides in jail.local rather than the shipped jail.conf.

It is still worth running on any internet-facing server, even if password authentication is disabled. The log noise from brute-force scanners makes real incidents harder to spot, and a one-hour ban after three failed attempts costs the attacker effort while costing you almost nothing. It also defends services that you cannot easily switch to key-based authentication, web admin panels, IMAP, FTP, by writing custom jails for their logs.

Fail2ban will not stop a determined adversary with a botnet of clean IPs, and it is not a substitute for least-privilege configuration, keys-only SSH, or patching. Treat it as one cheap layer in a defence-in-depth strategy, not the whole defence.