fail2ban is a daemon that watches log files for failed login attempts and other signs of attack, then temporarily bans the offending IP address via firewall rules. It is the low-effort first line of defence against brute-force attacks on SSH, web authentication, and other exposed services.
Configuration lives under /etc/fail2ban/. The main file, jail.conf, defines "jails"—rules combining a log file, a filter (regex to match bad lines), and an action (typically iptables or firewalld to drop traffic). Enable a jail by adding it to /etc/fail2ban/jail.local or /etc/fail2ban/jail.d/*.conf:
[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 5
bantime = 1h
findtime = 10m
After restarting fail2ban, check its status:
sudo fail2ban-client status
sudo fail2ban-client status sshd
sudo fail2ban-client set sshd unbanip 1.2.3.4
fail2ban does not replace proper authentication (strong passwords, key-based auth) or rate limiting at a higher layer, but it dramatically reduces log noise and script-kiddie bot traffic on publicly accessible SSH ports. On systems where you have moved SSH to a non-default port, or configured key-only auth, it is mostly a belt-and-braces measure—but still usually worth running.
Discussed in:
- Chapter 18: Security and Hardening — fail2ban: Intrusion Prevention
Also defined in: Textbook of Linux