Fail2Ban: Banning hosts that cause multiple authentication failures
Fail2Ban scans log files such as /var/log/auth.log and prohibits IP addresses that make too many failed login attempts. To do this, it updates the system firewall rules to reject new connections from those IP addresses, for a configurable period of time. Fail2Ban comes ready-to-use ready to read many standard log files, such as those for sshd and Apache, and is easily configured to read any log file of your choice, for any errors you want.
Although Fail2Ban is able to reduce the rate of failed authentication attempts, it cannot eliminate the risk presented by weak authentication. Configure services to use only two-factor or public/private authentication mechanisms if you really want to secure services.
Because v0.10 fail2ban supports IPv6 address matching.
This README file is a quick introduction to Fail2Ban. Further documentation, FAQs, and HOWTOs can be found on fail2ban(1) manpage, Wiki, developer documentation, and the website: https://www.fail2ban.org
Installation:
Fail2Ban may already be packaged for distribution. In this case, you should use that instead.
Required
: Python2 >= 2.7 or Python >= 3.2 or PyPy python-setuptools,
- python-distutils or python3-setuptools for installation from source
Optional
:
- pyinotify >= 0.8.3, may require: Linux >=
- 2.6.13
- 0.0.21
- >= 204 and python bindings:
- python-systemd package
- dnspython
gamin >=
systemd
To install:
Alternatively, you can clone the GitHub feed to a directory of your choice and install from there. Choose the correct branch, for example, master or 0.11
This will install Fail2Ban in the python library directory. Executable scripts are placed in /usr/bin, and configuration in /etc/fail2ban.
Fail2Ban should now be installed correctly. Just type:
to see if everything is okay. You should always use fail2ban-client and never call fail2ban-server directly. You can verify that you have the correct version installed with
Please note that the system startup/service script is not installed automatically. To enable fail2ban as an automatic service, simply copy the script for distribution from the file directory to /etc/init.d. Example (on a Debian-based system):
Configuration:
You can configure Fail2Ban using the files in /etc/fail2ban. You can configure the server using commands sent by fail2ban-client. The available commands are described in the fail2ban-client(1) manual page. See also fail2ban(1) and jail.conf(5) for more references.
Code status
: travis-ci.org: <img
-
src=”https://camo.githubusercontent.com/04e4066549a5fa5785c2c3865cf9b33d91d406156b50a36c0c37c06d76d3daab/68747470733a2f2f7365637572652e7472617669732d63692e6f72672f6661696c3262616e2f6661696c3262616e2e7376673f6272616e63683d6d6173746572″ alt=”test status” /> /
(branch 0.11) /
(branch 0.10)
-
coveralls.io:
/
(0.11 branch) /
/ (0.10 branch)
-
codecov.io:
/
(branch 0.11) /
(branch 0.10)
Contact
:
Bugs, feature requests, discussions?
See CONTRIBUTING.md
You just appreciated this program:
Send kudos to the original author (Cyril Jaquier) or better to the mailing list, as Fail2Ban has been “community-driven” for years now.
Thank you
:
View THANKS file
. License
:
Fail2Ban is
free software; you may redistribute and/or modify it under the terms of the GNU General Public License published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version
.
Fail2Ban is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along with Fail2Ban; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110, USA