Fail2ban is a powerful log-scanning tool that automatically bans IP addresses showing malicious behavior. In this lesson, we break down its four-stage detection loop: tailing log files, regex matching, counter incrementing, and ban enforcement.
The Detection Loop
Fail2ban operates in a continuous loop, checking log files for patterns that indicate an attack.
Stage 1 — Tail
Fail2ban constantly monitors log files (e.g., /var/log/auth.log) for new entries, similar to the tail -f command.
Stage 2 — Regex Match
Each new log line is checked against a set of predefined regular expressions (failregex). For example, a failed SSH login attempt like:
sshd[1234]: Failed password for root from 192.168.1.100 port 22 ssh2
matches a failregex, capturing the IP address.
Stage 3 — Counter Increment
Fail2ban increments a failure counter for that IP within a sliding time window (findtime). If the counter exceeds maxretry, it moves to Stage 4.
Stage 4 — Ban
An iptables or nftables rule is added to block the IP for a defined bantime. After the ban expires, the rule is removed.
Real Attack Example
The video traces a real brute‑force attempt: an attacker tried 10 SSH passwords in 30 seconds. After 5 failures (maxretry=5) within the findtime=300 seconds, Fail2ban banned the IP for 10 minutes, effectively stopping the attack.
This four‑stage pipeline makes Fail2ban a lightweight yet effective defense against unauthorized access.