Back to Agent Skills
Security & Quality
Fail2ban Intrusion Prevention
Monitor logs and automatically ban IPs showing malicious signs with Fail2ban for Linux servers.
Claude Code Cursor
Overview
Fail2ban is an intrusion prevention software that monitors log files for suspicious activity and automatically bans offending IP addresses by modifying firewall rules. It protects Linux servers against brute force attacks on SSH, HTTP authentication, mail servers, and any service that produces log files with identifiable attack patterns.
The tool works by parsing log files (syslog, auth.log, nginx/Apache access logs) using configurable regex filters. When a filter matches a defined number of times within a time window, Fail2ban executes a ban action — typically adding an iptables or nftables rule to block the offending IP. Bans are temporary by default, with configurable ban durations and exponential backoff for repeat offenders.
Fail2ban comes with pre-configured filters for common services (sshd, nginx, apache, postfix, dovecot) and can be extended with custom filters for application-specific log formats. Actions can go beyond firewall rules to include email notifications, Slack alerts, or API calls to update external blocklists. The fail2ban-client CLI provides real-time monitoring of banned IPs, jail status, and manual ban/unban operations.
The tool works by parsing log files (syslog, auth.log, nginx/Apache access logs) using configurable regex filters. When a filter matches a defined number of times within a time window, Fail2ban executes a ban action — typically adding an iptables or nftables rule to block the offending IP. Bans are temporary by default, with configurable ban durations and exponential backoff for repeat offenders.
Fail2ban comes with pre-configured filters for common services (sshd, nginx, apache, postfix, dovecot) and can be extended with custom filters for application-specific log formats. Actions can go beyond firewall rules to include email notifications, Slack alerts, or API calls to update external blocklists. The fail2ban-client CLI provides real-time monitoring of banned IPs, jail status, and manual ban/unban operations.
Who Is This For?
- Block SSH brute force attempts automatically
- Protect Nginx/Apache from repeated failed login attempts
- Set up custom jail for application-specific attack patterns
- Configure email alerts for banned IP addresses
Installation
Setup for Claude Code
sudo apt install fail2banConfiguration
# /etc/fail2ban/jail.local
[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 3600
findtime = 600
[nginx-http-auth]
enabled = true
port = http,https
filter = nginx-http-auth
logpath = /var/log/nginx/error.log
maxretry = 5
bantime = 7200Explore AI Tools
Discover the best AI tools that complement your skills
Read AI & Design Articles
Tips and trends in the world of design and AI
Related Skills
Security & Quality
Snyk Security Scan
Detect vulnerabilities in your dependencies and application code. Get actionable remediation advice and automatic fix pull requests.
Claude Code Codex Copilot
Security & Quality SonarQube Code Quality
Run continuous code quality and security analysis to catch bugs, code smells, and vulnerabilities before they reach production.
Claude Code Codex Copilot
Security & Quality OWASP ZAP Security Testing
Perform automated web application security testing to find common vulnerabilities like XSS, injection flaws, and misconfigurations.
Claude Code Codex