fail2ban – ban hosts that cause multiple authentication errors¶
- More information
- External resources
Fail2ban monitors log files (e.g. /var/log/auth.log, /var/log/apache/access.log) and temporarily or persistently bans failure-prone addresses by updating existing firewall rules. Fail2ban allows easy specification of different actions to be taken such as to ban an IP using iptables or hostsdeny rules, or simply to send a notification email.
By default, it comes with filter expressions for various services (sshd, apache, qmail, proftpd, sasl etc.) but configuration can be easily extended for monitoring any other text file. All filters and actions are given in the config files, thus fail2ban can be adopted to be used with a variety of files and firewalls. Following recommends are listed:
iptables – default installation uses iptables for banning. You most probably need it
whois – used by a number of mail-whois actions to send notification emails with whois information about attacker hosts. Unless you will use those you don’t need whois
python3-pyinotify – unless you monitor services logs via systemd, you need pyinotify for efficient monitoring for log files changes
Distribution |
Base version |
Our version |
Architectures |
|---|---|---|---|
Debian GNU/Linux 10.0 (buster) |
0.10.2-2.1 |
||
Debian GNU/Linux 11.0 (bullseye) |
0.11.2-2 |
||
Debian GNU/Linux 12.0 (bookworm) |
1.0.2-2 |
||
Debian GNU/Linux 9.0 (stretch) |
0.9.6-2 |
0.9.7-1~nd90+1 |
i386, amd64, sparc, armel |
Debian testing (trixie) |
1.1.0-7 |
||
Debian unstable (sid) |
1.1.0-7 |
0.9.7-1~nd+1 |
i386, amd64, sparc, armel |
Ubuntu 16.04 “Xenial Xerus” (xenial) |
0.9.3-1 |
0.9.7-1~nd16.04+1 |
i386, amd64, sparc, armel |
Ubuntu 18.04 “Bionic Beaver” (bionic) |
0.10.2-2 |
||
Ubuntu 20.04 “Focal Fossa” (focal) |
0.11.1-1 |
||
Ubuntu 22.04 “Jammy Jellyfish” (jammy) |
0.11.2-6 |
||
Ubuntu 24.04 “Noble Numbat” (noble) |
1.0.2-3 |