fail2ban is a Python-based intrusion prevention software that can protect various services on Linux. It works by analyzing system and application log files (e.g.,
) and taking actions (e.g., temporarily banning offending IP addresses) when any abnormal activities are detected from the logs. To identify potential attack attempts, fail2ban relies on regular expression based filters. These filters can be enabled and customized to detect various attacks on different services, for example, brute-force SSH attacks from botnets, password-guessing attacks on web/FTP/database servers, webmail phishing attacks, port scanning attacks, etc. Upon detecting suspicious activities, fail2ban automatically blocks offending IP addresses using netfilter/iptables or TCP wrappers (
) for user-configurable amount of time, with optional email notifications.