Fail2ban

What is Fail2Ban?

Fail2Ban is an intrusion prevention tool that monitors suspicious login attempts in system logs and can be deployed on your on-premises infrastructure.

What exactly does it block?

Fail2Ban primarily protects against "brute force" attacks.

To determine if an activity is malicious, Fail2Ban analyzes login attempts and identifies specific patterns. Here are the common errors that trigger an alert and a ban:

• • Invalid user: Someone is trying to log in with random usernames (e.g., admin, root, test, guest). This is a typical sign of a bot testing username dictionaries.

  • Wrong password: A known user exists, but the entered password is incorrect. Too many attempts indicate a brute-force attack.

  • Authentication failure: A general error that occurs when the credentials provided do not match anything in the server’s secure database.

  • Failed public key authentication: Even if you use security keys (which are more secure than passwords), Fail2Ban blocks those who repeatedly attempt to present unauthorized keys.

If an IP address generates 5 failures within a 10-minute window, it is banned for 10 minutes