explaingit

fail2ban/fail2ban

Analysis updated 2026-06-24

17,759PythonAudience · ops devopsComplexity · 3/5LicenseSetup · moderate

TLDR

Python daemon that scans server log files for failed logins and updates firewall rules to temporarily ban offending IP addresses.

Mindmap

mindmap
  root((fail2ban))
    Inputs
      Log Files
      Filter Rules
      Jail Config
    Outputs
      Firewall Bans
      Unban Events
      Notifications
    Use Cases
      Protect SSH
      Protect Web Logins
      Slow Credential Stuffing
    Tech Stack
      Python
      iptables
      systemd
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Block repeated SSH brute-force attempts on a Linux server by enabling the sshd jail.

USE CASE 2

Protect a WordPress or Nginx login endpoint by writing a custom filter and jail.

USE CASE 3

Send Slack or email alerts when an IP gets banned for repeated failed logins.

USE CASE 4

Integrate Fail2Ban with nftables or firewalld to enforce bans on modern firewalls.

What is it built with?

Pythoniptablessystemd

How does it compare?

fail2ban/fail2bansmicallef/spiderfootdeepseek-ai/janus
Stars17,75917,74417,728
LanguagePythonPythonPython
Setup difficultymoderatemoderatehard
Complexity3/53/54/5
Audienceops devopsops devopsresearcher

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · moderate Time to first run · 30min

Linux-only, needs root to edit firewall rules, and requires care so you do not lock yourself out.

GPLv2 license: free to use and modify, but any derivative work you distribute must also be released under GPLv2.

In plain English

Fail2Ban is a security daemon, a background program that runs on a server, that automatically blocks IP addresses (the numerical identifiers of machines on the internet) that are trying to break into your system by guessing passwords or credentials. The problem it addresses is brute-force and credential-stuffing attacks: automated tools on the internet constantly try to log into servers by repeatedly guessing usernames and passwords. Left unchecked, these attempts slow down your server and, if a password is weak, can succeed. Fail2Ban works by watching log files, the records your server writes when things happen, and counting failed login attempts from each IP address. When a particular address fails too many times within a time window you configure, Fail2Ban updates your system's firewall rules to block all connections from that address for a configurable period. When the ban expires, the block is lifted. It supports watching many common log sources out of the box, including the SSH service (which lets you log into a server remotely) and web servers, and can be configured to watch any log file you choose. It is written in Python and is typically installed via your Linux distribution's package manager. Configuration lives in files under /etc/fail2ban and can also be managed through a command-line client called fail2ban-client. The README notes that while Fail2Ban reduces the frequency of brute-force attempts, it is not a substitute for strong authentication, two-factor or public-key authentication offer much stronger protection. It is licensed under the GNU General Public License version 2.

Copy-paste prompts

Prompt 1
Install Fail2Ban on Ubuntu and enable the sshd jail with a 1-hour ban after 5 failures.
Prompt 2
Write a Fail2Ban filter and jail to ban IPs that fail Nginx basic-auth 10 times in 10 minutes.
Prompt 3
Switch a Fail2Ban setup from iptables to nftables and verify the rules are correct.
Prompt 4
Set up Fail2Ban to send a Slack webhook every time an IP is banned or unbanned.
Prompt 5
Audit my current Fail2Ban jails and recommend tighter thresholds for SSH and web logins.

Frequently asked questions

What is fail2ban?

Python daemon that scans server log files for failed logins and updates firewall rules to temporarily ban offending IP addresses.

What language is fail2ban written in?

Mainly Python. The stack also includes Python, iptables, systemd.

What license does fail2ban use?

GPLv2 license: free to use and modify, but any derivative work you distribute must also be released under GPLv2.

How hard is fail2ban to set up?

Setup difficulty is rated moderate, with roughly 30min to a first successful run.

Who is fail2ban for?

Mainly ops devops.

Open on GitHub → Explain another repo

This repo across BitVibe Labs

Scan in gitsafehub Deploy in gitdeployhub fail2ban on gitmyhub

Verify against the repo before relying on details.