Fail2Ban: ban hosts that cause multiple authentication errors – GitHub


Fail2Ban: Banning hosts that cause multiple authentication failures

Fail2Ban scans log files such as /var/log/auth.log and prohibits IP addresses that make too many failed login attempts. To do this, it updates the system firewall rules to reject new connections from those IP addresses, for a configurable period of time. Fail2Ban comes ready-to-use ready to read many standard log files, such as those for sshd and Apache, and is easily configured to read any log file of your choice, for any errors you want.

Although Fail2Ban is able to reduce the rate of failed authentication attempts, it cannot eliminate the risk presented by weak authentication. Configure services to use only two-factor or public/private authentication mechanisms if you really want to secure services.

 687474703a2f2f7777772e776f726c64697076366c61756e63682e6f72672f77702d636f6e74656e742f7468656d65732f697076362f646f776e6c6f6f64732f576f726c645f495076365f6c61756e63685f6c6f676f2e737667 Because v0.10 fail2ban supports IPv6 address matching.

This README file is a quick introduction to Fail2Ban. Further documentation, FAQs, and HOWTOs can be found on fail2ban(1) manpage, Wiki, developer documentation, and the website:


Fail2Ban may already be packaged for distribution. In this case, you should use that instead.


: Python2 >= 2.7 or Python >= 3.2 or PyPy python-setuptools,

  • python-distutils or python3-setuptools for installation from source



  • pyinotify >= 0.8.3, may require: Linux >=
    • 2.6.13
  • gamin >=

  • 0.0.21
  • systemd

  • >= 204 and python bindings:
    • python-systemd package
  • dnspython

To install:

Alternatively, you can clone the GitHub feed to a directory of your choice and install from there. Choose the correct branch, for example, master or 0.11

This will install Fail2Ban in the python library directory. Executable scripts are placed in /usr/bin, and configuration in /etc/fail2ban.

Fail2Ban should now be installed correctly. Just type:

to see if everything is okay. You should always use fail2ban-client and never call fail2ban-server directly. You can verify that you have the correct version installed with

Please note that the system startup/service script is not installed automatically. To enable fail2ban as an automatic service, simply copy the script for distribution from the file directory to /etc/init.d. Example (on a Debian-based system):


You can configure Fail2Ban using the files in /etc/fail2ban. You can configure the server using commands sent by fail2ban-client. The available commands are described in the fail2ban-client(1) manual page. See also fail2ban(1) and jail.conf(5) for more references.

Code status

: <img

  • src=”″ alt=”test status” /> / test status (branch 0.11) / test status (branch 0.10)

  • Coverage status / Coverage status (0.11 branch) / Coverage status / (0.10 branch)

  • / (branch 0.11) / (branch 0.10)



Bugs, feature requests, discussions?


You just appreciated this program:

Send kudos to the original author (Cyril Jaquier) or better to the mailing list, as Fail2Ban has been “community-driven” for years now.

Thank you


View THANKS file

. License


Fail2Ban is

free software; you may redistribute and/or modify it under the terms of the GNU General Public License published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version


Fail2Ban is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with Fail2Ban; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110, USA

Contact US