Self-Hosting Fail2Ban: Automated Intrusion Prevention
Fail2ban monitors log files and bans IPs that show malicious patterns. The first line of defense for any internet-facing server.
What Is Fail2ban?
Fail2ban watches log files for patterns that indicate attacks (like repeated failed login attempts) and automatically bans the offending IP address using firewall rules.
How It Works
1. Fail2ban reads log files (auth.log, nginx access log, etc.)
2. Matches lines against filter patterns (regex)
3. Counts matches per IP within a time window
4. If count exceeds threshold, bans the IP
5. Ban expires after configured time
Default Protection: SSH
Out of the box, fail2ban protects SSH:
Common Jails
SSH
The most important. Brute force SSH attacks are constant.
Enabled by default.
Nginx/Caddy
Ban IPs that generate too many 4xx errors (scanning for vulnerabilities).
WordPress
Ban IPs that fail wp-login.php authentication repeatedly.
Postfix
Ban IPs that fail SMTP authentication.
Custom Jail Example
[myapp]
enabled = true
logpath = /var/log/myapp/access.log
filter = myapp
maxretry = 5
findtime = 600
bantime = 3600
Filter file (/etc/fail2ban/filter.d/myapp.conf):
[Definition]
failregex = ^<HOST> .* 401 .*$
Bans IPs with more than 5 failed authentication attempts (401) in 10 minutes for 1 hour.
Configuration Tips
Progressive Banning
Recidive jail: if an IP gets banned multiple times, ban it for longer:
[recidive]
enabled = true
bantime = 1w
findtime = 1d
maxretry = 3
Three bans in one day = banned for one week.
Whitelist
Don't ban yourself:
ignoreip = 127.0.0.1/8 ::1 your-home-ip
Email Notifications
Get notified when bans happen:
action = %(action_mwl)s
Deployment
Fail2ban runs on the host, not in a container (it needs access to iptables).
sudo apt install fail2ban
sudo systemctl enable fail2ban
For TinyPod servers, fail2ban comes pre-configured for SSH and web server protection.