# Fail2Ban Fail2Ban is an intrusion prevention tool that monitors log files for suspicious activity and automatically bans offending IP addresses. When it detects patterns like repeated failed SSH login attempts, brute-force attacks on web applications, or authentication failures, it updates firewall rules to block the source IP for a configurable duration. The tool works through "jails"—configurations that define which log file to monitor, what regex patterns indicate malicious behavior, and what action to take (typically adding an iptables/nftables rule). Out of the box, Fail2Ban includes filters for SSH, Apache, Nginx, Postfix, and dozens of other services. You can write custom filters for any application that logs authentication failures. For [[Self-hosting]], Fail2Ban is essential defense-in-depth. Any server exposed to the internet faces constant automated attacks—SSH brute-forcing starts within minutes of a new server going online. While strong passwords and key-based authentication are primary defenses, Fail2Ban reduces noise, saves resources, and adds another layer. Combined with [[Zero Trust Security]] principles and tools like [[Tailscale]], it helps secure self-hosted infrastructure. ## Related - [[Secure Shell (SSH)]] - [[Self-hosting]] - [[Zero Trust Security]] - [[Linux]] ## References - https://www.fail2ban.org/ - https://github.com/fail2ban/fail2ban