Fail2Ban is an intrusion prevention software framework that protects computer servers from brute-force attacks.

Fail2ban is a log parser. It cannot do anything before something is written in the log files.

See also: Security - Abuse Detection



fail2ban-client --version
Fail2Ban v0.9.7


The log is configured in fail2ban.conf




2019-11-04 19:48:06,119 fail2ban.server         [3291]: INFO    Changed logging target to /var/log/fail2ban.log for Fail2ban v0.9.7
2019-11-04 19:48:06,120 fail2ban.database       [3291]: INFO    Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3'
2019-11-04 19:48:06,124 fail2ban.database       [3291]: WARNING New database created. Version '2'
2019-11-04 19:48:06,126 fail2ban.jail           [3291]: INFO    Creating new jail 'sshd'
2019-11-04 19:48:06,147 fail2ban.jail           [3291]: INFO    Jail 'sshd' uses systemd {}
2019-11-04 19:48:06,165 fail2ban.jail           [3291]: INFO    Initiated 'systemd' backend
2019-11-04 19:48:06,167 fail2ban.filter         [3291]: INFO    Set maxRetry = 5
2019-11-04 19:48:06,168 fail2ban.filter         [3291]: INFO    Set jail log file encoding to UTF-8
2019-11-04 19:48:06,168 fail2ban.actions        [3291]: INFO    Set banTime = 600
2019-11-04 19:48:06,169 fail2ban.filter         [3291]: INFO    Set findtime = 600
2019-11-04 19:48:06,169 fail2ban.filter         [3291]: INFO    Set maxlines = 10
2019-11-04 19:48:06,250 fail2ban.filtersystemd  [3291]: INFO    Added journal match for: '_SYSTEMD_UNIT=sshd.service + _COMM=sshd'
2019-11-04 19:48:06,272 fail2ban.jail           [3291]: INFO    Jail 'sshd' started



Fail2ban has four configuration file types in /etc/fail2ban/:

Distribution Custom (local) Description
fail2ban.conf fail2ban.local Fail2Ban global configuration (such as logging)
filter.d/*.conf NA - Filters specifying how to detect authentication failures
action.d/*.conf NA Actions defining the commands for banning and unbanning of IP address
jail.conf /etc/fail2ban/jail.local Jails defining combinations of Filters with Actions


  • custom is where the configuration customization should be saved. (only the settings you would like to change)
  • distribution are the files distributed with the installation and should not be modified.

The .local files overrides configuration in the .conf file. The custom configuration should be done in .local files because the .conf files may be overwritten in the next release.

Order of precedence

From less to more important

  • jail.conf
  • jail.d/*.conf (in alphabetical order)
  • jail.local
  • jail.d/*.local (in alphabetical order).


The section of the configuration file defined the scope of each properties. ie:

  • global
  • or by jail (Configuration for a service)
... default properties (ie for all services)
... properties for only the jail ''jail'' (ie the service)


Ban conditions

To be banned, a user must have maxretry failed authentication within the findtime window of time


  • maxretry: the number of try
  • findtime: the time window

Ban Properties

  • bantime: the ban time duration in the second before the ban is lifted. See new feature in 0.11 baantime.increment to increment the baantime automatically.
# default 10 minutes
bantime = 600
# an half hour 
bantime = 1800
  • Port
# Ports to be banned
# Usually should be overridden in a particular jail
port = 0:65535
  • the default banaction (ie ban method) used in the definition of an action
# Default banning action (e.g. iptables, iptables-new, iptables-multiport, shorewall, etc) 
# This variable is used in the action_* variables. 
banaction = iptables-multiport

Ban Actions

  • The default action is action_ (see below for the meaning of this action)
# Choose default action.  To change, just override value of 'action' with the
# interpolation to the chosen action shortcut (e.g.  action_mw, action_mwl, etc) in jail.local
# globally (section [DEFAULT]) or per specific section
action = %(action_)s
  • All actions are defined with the format action_…. Example
# The simplest action to take: ban only
action_ = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]


  • action_mw ban & send an e-mail with whois report to the destemail.
  • action_mwl same as action_mw and emails the relevant log lines.
  • action_xarf


A jail is just a configuration for a service

enabled = true


In directory /etc/fail2ban/filters.d

These files contain the regular expressions that determine whether a line in the log is a failed authentication attempt.

ll /etc/fail2ban/filter.d
total 348
-rw-r--r-- 1 root root  442 May 11  2017 3proxy.conf
-rw-r--r-- 1 root root 3241 May 11  2017 apache-auth.conf
-rw-r--r-- 1 root root 2745 May 11  2017 apache-badbots.conf
-rw-r--r-- 1 root root 1273 May 11  2017 apache-botsearch.conf
-rw-r--r-- 1 root root  813 May 11  2017 apache-common.conf
-rw-r--r-- 1 root root  268 May 11  2017 apache-fakegooglebot.conf
-rw-r--r-- 1 root root  487 May 11  2017 apache-modsecurity.conf
-rw-r--r-- 1 root root  596 May 11  2017 apache-nohome.conf
-rw-r--r-- 1 root root 1187 May 11  2017 apache-noscript.conf
-rw-r--r-- 1 root root 2000 May 11  2017 apache-overflows.conf
-rw-r--r-- 1 root root  346 May 11  2017 apache-pass.conf
-rw-r--r-- 1 root root 1014 May 11  2017 apache-shellshock.conf


  • The [INCLUDES] section header specifies other filter files that are included:
    • before
    • or after


See testing happens with the fail2ban-regex utility

fail2ban-regex logFile filter
# example
fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/sshd.conf



The filter sshd-basic is for light ban restrictions whereas sshd-aggressive will ban indefinitelly. (example: if someone tries to login with an account that doesn’t exist on the system or one that is forbidden (root, oracle, cisco, etc). check the file /etc/fail2ban/filter.d/sshd.conf

filter = sshd-aggressive
enabled     = true
port        = 2222
filter      = sshd
logpath     = /var/log/auth.log
maxretry    = 3


  • 3 unsuccessful authentication
ssh [email protected]:2222
ssh [email protected]:2222
ssh [email protected]:2222
  • Iptable should have been updated
sudo iptables -S
-A fail2ban-ssh -s 304.0.258.15/32 -j REJECT --reject-with icmp-port-unreachable

Documentation / Help


Powered by ComboStrap