What does fail2ban do?

fail2ban watches your log files for repeated authentication failures from the same IP and, once a threshold is crossed, bans that IP at the firewall for a set time. It is the standard defense against the constant automated brute-force and credential-stuffing traffic every public server receives - SSH login attempts, web admin probes, and similar - turning a relentless stream of guesses into a quick ban.

Do I still need fail2ban if I use key-only SSH?

Key-only SSH already defeats password brute force, so fail2ban adds less there - but it still cuts log noise by banning the constant probers, and it is valuable for any service that does use passwords or tokens: web admin panels, mail, databases exposed to auth. Use it alongside key-only SSH and a firewall, not instead of them; layered defenses are the point.

Will fail2ban lock me out?

It can, if you fat-finger your own password enough times, which is why the generated config includes an ignoreip whitelist - add your own IP (and any office or VPN range) so you are never banned. Keep a second session open when you first enable it, and you can always unban an IP with fail2ban-client set unbanip .

Free tool · Runs in your browser

Auto-ban the brute-forcers.

Every public server is hammered by automated login attempts around the clock. Pick what to protect and get a fail2ban config that bans an IP after too many failures — with a whitelist for your own IP so you never lock yourself out.

Ban time

Failures before ban

Within (find time)

SSH port (for the sshd jail)

Always allow these IPs (whitelist, space-separated)

Protect SSH (sshd) Protect nginx auth (nginx-http-auth) Re-ban repeat offenders longer (recidive)

jail.local

install

The traffic you can just drop

A meaningful share of the traffic hitting any public server isn't users — it's bots methodically trying passwords against SSH, admin panels, and anything with a login. You can't stop them from knocking, but you can make it pointless: after a handful of failures, the door closes on that IP for hours. fail2ban automates exactly that, and it's a few lines of config to set up.

Banning brute-force IPs on one host is the per-box version of a bigger idea: watching for abuse, responding automatically, and keeping a record of who was banned and why — across everything you run. That fleet-wide awareness and response, on infrastructure you own, is what a control plane adds on top.

Related free tools

UFW firewall generatorLock down your server SSH hardening generatorLock down sshd_config nginx rate limit generatorCap abuse + brute force Security headers checkerGrade your headers

All free tools →

Drop the knock. See the pattern.

Infraveil watches auth-failure and abuse signals across every host you own, responds automatically, and keeps a tamper-evident record of what was blocked and when — defense you can inspect, on infrastructure you control.

See how it works

Get the server-hardening playbook

fail2ban, SSH, firewall, and the basics that stop most attacks on a box you own. No spam.