Fail2Ban: Daemon to ban hosts from repeated authentication errors
Log-based intrusion prevention via dynamic firewall management.
Learn more about fail2ban
Fail2Ban is a Python-based intrusion prevention daemon that monitors system log files for patterns indicating malicious behavior and automatically updates firewall rules to block offending hosts. The system employs regular expression pattern matching against log entries to detect repeated authentication failures or other suspicious activity, then invokes backend handlers to modify firewall configurations through iptables, pf, or other packet filtering systems. It operates through a modular architecture of filters, which define the patterns to match in log files, and actions, which specify the defensive responses to take when thresholds are exceeded. The daemon supports both IPv4 and IPv6 address families and can be configured with custom jails that monitor arbitrary log sources and trigger time-limited or permanent bans based on administrator-defined criteria. This event-driven approach provides automated defense against brute-force attacks and distributed scanning attempts without requiring manual intervention or complex real-time traffic analysis.
Log-Based Detection System
Analyzes existing system logs without requiring application modifications or agent installation. Supports any text-based log format through configurable regex patterns, enabling protection for legacy services and custom applications.
Automatic Firewall Management
Directly updates iptables, pf, or other firewall backends to block attackers in real-time. Temporary bans expire automatically after configurable timeouts, preventing permanent blocks from legitimate users with failed credentials.
File-Based Configuration Framework
Ships with pre-built filters for common services like SSH, Apache, and Nginx. Custom jails and filters are defined through configuration files without code changes, allowing teams to protect new services by writing pattern definitions.
from fail2ban.client.csocket import CSocket
client = CSocket()
client.send(["status", "sshd"])
response = client.receive()
if response[0] == 0:
print(f"Banned IPs: {response[1]}")Major version adds Python 3.12/3.13 compatibility; Debian package now ships without test suite or fail2ban.test module.
- –Upgrade to Python 3.12 or 3.13 if running on those interpreters to avoid compatibility issues.
- –Note that Debian package no longer includes fail2ban-testcases or fail2ban.test module for testing.
Patch release fixing a regression in the dovecot filter (#3370); no breaking changes or new requirements noted.
- –Update to resolve dovecot-filter regression introduced in 1.0.x that may have caused missed bans or false positives.
- –Debian packages now ship without the test suite (fail2ban-testcases module removed from distribution).
Major version claims performance and stability improvements; release notes lack specifics on breaking changes or requirements.
- –Review the ChangeLog before upgrading as the release notes do not detail breaking changes or migration steps.
- –Note that Debian packages now exclude the test suite (fail2ban-testcases module) in Python 3 builds.
Top in Security
Related Repositories
Discover similar tools and frameworks used by developers
httpx
Fast HTTP probing with response metadata extraction.
spiderfoot
Python reconnaissance framework with 200+ OSINT modules.
openssl
C-based cryptographic library implementing TLS, DTLS, and QUIC protocols.
sigma
YAML-based detection rules with SIEM query conversion.
gitleaks
Regex-based secret scanner for git repositories.