Fail2ban is an intrustion prevention system, written in Python and developped over 10 years by Cyril Jaquier, Arturo Busleiman and many other contributors.
On linux systems, this program runs as a background service which actively parses a definable range of systems logs. Suspicious or repeated failed authentication requests are identified by means of application-specific regular expression (REGEX) filters. A filter’s action generally results in the automatic generation of IP address blocks. The length of time can be set according to a bundled algorithm or manually.
Fail2ban is an active project whose files may be found in a few locations
If you are interested in learning Python, see this related post
Installation on Debian systems (eg. Ubuntu)
Debian distributions should include
fail2ban in their main repositories however, this is generally not the latest version.
For the purpose of this short guide, the 0.11.x development branch will be used.
The principal requirements are Python3,
pip package manager for Python3 and a few non-default python packages.
To set up the required additional packages run the following
If you receive any locale-based errors on a Debian system, you can fix your language settings rather quickly. Uncomment your desired locale (language set), followed by a regeneration of associated files.
Pulling the latest build from GitHub
Once you’ve navigated into a new folder made for this purpose, pulling the latest build from GitHub is done as follows.
Compiling necessary components
Enter the newly created
fail2ban directory and begin the first step of the installation. This passes the
--install flag to the included python setup script.
fail2ban on your system
A default configuration is now included at
/etc/fail2ban/jail.conf however this will be overwritten during any upgrade. It will be duplicated and renamed to persist during any future upgrades.
In order to enable the daemon to automatically start during a system reboot a series of pre-bundled start-up scripts are included in the
files subfolder of the original GitHub folder that was pulled. Note that these are environment-specific.
For Debian-based systems (like Ubuntu), the appropriate file is called
debian-initd and must be renamed/copied in the
init.d system folder. Once copied,
updaterc is called to process the change.
Fail2ban activity should now be available at this location:
In order for fail2ban to actually write IP block rules, it needs to know where to look and for what. This is a modular system where each application has its own filter and action rule set.
Jails are application specific configurations which apply jail-specific REGEX filtering rules.
A base-line jail that should be enabled is
[sshd] (SSH daemon service). It parses the server’s
auth.log for abusive, failed and potentially malicious ssh login attempts.
jails are outlined in our global configuration file. However each requires an
enabled = true flag to function.
- SSHD Jail
logpath can be modified to any non-standard location if desired. Depending on the fail2ban version installed, these fields can vary in their default options. Consider verifying your version-specific documentation.
To manually update or modify the REGEX filters used by each
jail, edit the respective filter file located at
Additional application-specific jails
Material on this site is licensed under a Creative Commons BY-NC-SA 4.0 license unless specified otherwise.