Fail2ban can watch log files, block an IP address, and send you an instant message.

Fail2ban is a complete package

Fail2ban is different from swatch in the following ways:

  • Fail2ban installs as a complete service that will start on boot without further configuration
  • Fail2ban will work with iptables firewall to block traffic from anyone who violates its rules
  • Fail2ban can watch multiple log files without having to run multiple processes

With all of those advantages, I see one disadvantage to using fail2ban:

  • Fail2ban expects an IP Address or hostname in each log message. If you want to report on a message that does not include an IP Address or a hostname, you will have to utilize a work-around to use fail2ban.

Fail2ban is used by

If you watch the messages in our monitor chatroom you will sometimes see that fail2ban has blocked someone.

Someone tried to send too many messages too quickly and got blocked by fail2ban.

Fail2ban reacts in real-time, blocking the offenders IP address and sending a text message. This is a powerful tool for keeping a web service going.

Installing fail2ban

Just use your package manager to install fail2ban on linux.

apt install fail2ban

Starting, Stopping, Status

# Start fail2ban
service fail2ban start

# Stop fail2ban
service fail2ban stop

# Is fail2ban running?
service fail2ban status
Blocking an IP Address with Fail2Ban

Let’s configure our first jail that blocks an IP address

Not Blocking

Let’s configure fail2ban to watch a log, but not block an IP address

Fail2ban Client

When you need to know about what fail2ban is doing, use the client

Last modified November 11, 2020