Detecting Port Scanning with Fail2ban

When to Use

• Automatically blocking IP addresses that perform port scans against internet-facing servers
• Defending SSH, HTTP, FTP, and other services against brute force attacks with automated IP banning
• Creating custom detection filters for organization-specific attack patterns in log files
• Reducing noise from automated scanning bots before traffic reaches IDS/IPS for deeper analysis
• Implementing defense-in-depth by adding host-based automated response to network monitoring

Do not use as the sole network security control, for protecting against distributed attacks from many source IPs, or as a replacement for proper firewall rules and network segmentation.

Prerequisites

• Fail2ban 0.11+ installed (fail2ban-client --version)
• Root/sudo access for iptables/nftables manipulation
• Services logging connection attempts to parseable log files (syslog, auth.log, access.log)
• iptables or nftables installed and operational as the host firewall
• Optional: SMTP server for email notifications on ban events