How fail2ban works

Français Français


fail2ban logo
Fail2ban logo

Fail2ban helps protect a server from brute force and Deny-Of-Services (DOS) attacks.

  • Fail2ban is developed in Python language
  • Fail2ban analyzes the logs of the server when it detects several unsuccessful connection attempts it will put in place actions that you will have defined such as blocking the IP address or send alert email
  • Fail2Ban is based on a system of jails that can be set, enabled or disabled in a simple configuration file (/etc/fail2ban/jail.conf)

A jail is composed of the following elements:

  • Name of the log file to analyze.
  • Filter to apply on this log file
  • Action to take if the filter matches.
  • Parameters to define: number of “matches” (maxretry), corresponding time interval (findtime), ban time (bantime) ….


Here is the architecture of fail2ban

Fail2ban architecture
Fail2ban architecture

fail2ban is configured to monitor the logs of a service, it read the logs file and try to match failregex defined in the filter file. The filter is designed to identify authentication failures for that specific service through the use of regular expressions. When the failregex was found maxretry times in the log file action  is triggered.

By default, action will be taken when 3 authentication failures have been detected in 10 minutes, and the default ban time is for 10 minutes. The default for number of authentication failures necessary to trigger a ban is overridden in the SSH portion of the default configuration file to allow for 6 failures before the ban takes place. This is entirely configurable by the administrator in the jail.conf file

To install and configure fail2ban read next post : Install and configure Fail2ban with Docker