fail2ban

Fail2ban can watch log files, block an IP address, and send you an instant message.

Fail2ban is a complete package

Fail2ban is different from swatch in the following ways:

  • Fail2ban installs as a complete service that will start on boot without further configuration
  • Fail2ban will work with iptables firewall to block traffic from anyone who violates its rules
  • Fail2ban can watch multiple log files without having to run multiple processes

With all of those advantages, I see one disadvantage to using fail2ban:

  • Fail2ban expects an IP Address or hostname in each log message. If you want to report on a message that does not include an IP Address or a hostname, you will have to utilize a work-around to use fail2ban.

Fail2ban is used by e2e.ee

If you watch the messages in our monitor chatroom monitor.e2e.ee@e2e.chat you will sometimes see that fail2ban has blocked someone.

Someone tried to send too many messages too quickly and got blocked by fail2ban.

Fail2ban reacts in real-time, blocking the offenders IP address and sending a text message. This is a powerful tool for keeping a web service going.

Installing fail2ban

Just use your package manager to install fail2ban on linux.

apt install fail2ban

Starting, Stopping, Status

# Start fail2ban
service fail2ban start

# Stop fail2ban
service fail2ban stop

# Is fail2ban running?
service fail2ban status
Blocking an IP Address with Fail2Ban

Let’s configure our first jail that blocks an IP address

Not Blocking

Let’s configure fail2ban to watch a log, but not block an IP address

Fail2ban Client

When you need to know about what fail2ban is doing, use the client

Last modified November 11, 2020