Networking | Programming | Security | Linux | Computer Science | About

Monitor System Logs with fail2ban

The fail2ban program monitors system logs, looking for repeated failures from the same host. If it detects a problem, fail2ban can block the IP address of the offending host from accessing your system.

The fail2ban program monitors both system and application logs looking for problems. It monitors common system log files such as the /var/log/pwdfail and /var/log/auth.log log files, looking for multiple failed login attempts. When it detects a user account that has too many failed login attempts, it blocks access from the host from which the user account was attempting to log in.

A great feature of fail2ban is that it can also monitor individual application log files, such as the /var/log/apache/error.log log file for the Apache web server. Just as with the system log files, if fail2ban detects too many connection attempts or errors coming from the same remote host, it will block access from that host.

The fail2ban configuration is stored in the /etc/fail2ban/jail.conf file. It defines the applications to monitor, where their log files are located, and what actions to take if it detects a problem.

Published on Fri 02 March 2001 by Lai Yahui in Linux with tag(s): fail2ban logs