Fail2Ban

Fail2Ban is an intrusion prevention framework written in Python that monitors log files for patterns indicating malicious activity, such as repeated failed login attempts, and automatically bans the offending IP addresses by updating firewall rules. It is one of the most essential security tools on any Linux server exposed to the internet.

The tool works by scanning log files (such as /var/log/auth.log, /var/log/apache2/error.log, or /var/log/mail.log) for predefined patterns called filters. When a filter matches a configurable number of times within a specified time window, Fail2Ban executes an action, most commonly adding an iptables or nftables rule to block the offending IP for a set duration.

Fail2Ban ships with filters for dozens of common services: SSH, Apache, Nginx, Postfix, Dovecot, vsftpd, ProFTPD, named, and many more. For hosting servers, the SSH and mail service filters are particularly critical since brute-force attacks against these services are constant and relentless. Without Fail2Ban, a typical hosting server will see thousands of SSH login attempts per day from botnets.

Custom filters are straightforward to create using regular expressions. Hosting providers often write custom jails for their specific applications, such as cPanel login failures, WHM authentication, webmail brute-force attempts, and WordPress wp-login.php attacks. The flexibility to monitor any log file with any pattern makes Fail2Ban adaptable to virtually any security scenario.

Fail2Ban also supports progressive banning, where repeat offenders receive increasingly longer ban durations. Integration with fail2ban-client allows real-time monitoring of ban status, manual banning and unbanning, and automation through scripts. The tool is lightweight, consuming minimal CPU and memory even on busy servers.